The Register® — Biting the hand that feeds IT

Feeds

Researcher spies new Adobe code execution bug

A researcher has unearthed a bug in software used to install Adobe's ubiquitous Reader and Flash applications that can be exploited to remotely install malicious files on end user PCs. The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer. …

This topic is closed for new posts.
Dick Emery
Thumb Down

Horrible!

Adobe's download manager is complete shit. I hate it. Just give me the direct download to the file any day. I refuse to let the DM run whenever I get hit with it.

Al Jones
Reply Icon

Switcheroo

Use FF to download the Flash control for IE, and IE to download the Flash plugin for firefox/safari/chrome. That will give you the two standalone executables:

http://get.adobe.com/flashplayer/otherversions/

For Reader, go to ftp://ftp.adobe.com and download the installer without all the Air crap.

Crazy Operations Guy
Unhappy

Never understtod why they needed it

Never made downloads faster and only added more holes. Too bad there aren't any good alternatives to their crap

James 47
Stop

Ok!

We get it. Abode is shit at writing software. Please don't post an article every time a bug is exploited... that'd be a lot of boring articles. Better to tell us when they're all fixed

chr0m4t1c
FAIL
Reply Icon

No-one used to

But, Adobe went on record a few weeks ago saying they didn't ship software with any bugs.

What did they /think/ would happen if they made a claim like that? Remember MS launching Vista as their "Most secure OS yet"? IIRC, several major flaws were discovered and exploited about half a day after the first release candidate went out to the public.

If you want to live in ignorance, then feel free to not read the articles and just get your spoon-fed updates from Adobe as and when (and now cross your fingers that it *is* an update from Adobe that you get).

The fact is that this particular flaw is a problem in a piece of software that isn't even useful, it just adds a layer of complexity to what should be a straightforward download and now it adds a security hole to go with it.

Adobe could fix this with a quick re-write of their web page, probably in less than half a day, but I can almost guarantee that they will persist with the download manager.

Anonymous Coward
Anonymous Coward
Reply Icon

Chill out, Dan

Dan Goodin defintiely has an Adobe fixation.... one can only guess at why he hyper-ventilates every time a bug is revealed.

jake

Numpties.

"The attack combines a vulnerability on Adobe's website with a defect in the download manager. The result: he was able to install and execute his own instance of the Windows calculator on a Register test machine."

::shakes head:: I guess I'll be getting calls, but I don't work on Windows anymore.

"Aviv demonstrated the exploit on the condition further technical details be withheld."

Good plan. Gives Adobe a day or so cushion to fix it before the exploit is in the wild ...

"Adobe Download Manager would be as good a place as any to start."

ITYM "Adobe products would be as good a thing as any to avoid."

Mike Flugennock

three reasons I don't need to worry too much:

1. I'm using a Mac. D'ahh ha ha ha ha ha hahhh.

2. I'm running Firefox with Flashblock.

3. ActiveX? What is this ActiveX you speak of?

Anonymous Coward
Stop
Reply Icon

From one Mac user to another.

1. Don't do that. It gives the rest of is a bad name and it's fucking puerile. This sort of post gives certain intellectually challenged individuals an excuse to troll.

2. Firefox. It's got as many holes as any of the other browsers, and more of these are becoming apparent as it's popularity increases. Security through obscurity is no security at all.

Paul Shirley
Flame
Reply Icon

Firefox exploits can be contained

Firefox does have exploits but it can be sandboxed and because its not deeply hooked into the OS there's little chance of getting round the sandbox. My copy only has access to a few folders, cannot install software or run external programs with enough file and|or system privileges to even work let alone do damage.

Remember: IE is evil because it deliberately pushes its bugs into the OS with high privileges, not because its buggy.

Neal 5

@Mike Flugennock

I guess we only need to wait until 24 March to find out just how cocksure you really are with your Apple.

My guess, sub 10 seconds again.

Apple Mac, the Ford transit of computer security.

Anonymous Coward
FAIL
Reply Icon

@Neal 5

If it means he's safe for another 5 weeks while all the PC users are potentially screwed then doesn't that say something...?

I seem to remember the last "hack" against OSX from last year - wasn't it reliant on about 10 or 12 things that just could never happen in the wild...?

It doesn't matter if the Mac is "the Ford transit of computer security" - we all lock our vans up tightly behind firewalls, don't we!

John Smith 19
FAIL

ActiveX and Security.

Ensuring the largest number of hackers gain access to the largest number of machines in 1 package.

And someone pointed out in another El Reg comments section that they thought DM was a vuln that needed checking.

Looks like they were right.

Have the underlying mechanism of ActiveX been ported to *any* other platform?

Robert Carnegie

What is it FOR anyway?

Does it have a use in enterprise management of Adobe software installations? Does it balance load across multiple file servers? 'Cause for downloading a file and executing it, I don't see what this tool does for me that a web browser doesn't.

DZ-Jay

@Neal 5

Why, what happens on 24 March?

-dZ.

Will.
Boffin
Reply Icon

What happens on 24th March

Probably this year's Pwn2Own thing, if memory serves me.

Stone Fox
FAIL

Shocked? not at all.

IE = Fail

Adobe = Fail

IE + Adobe = OMGWTFBBQ-EPIC FAIL!

And for exactly that reason I don't use either.

@James47,

Hopefully, if they keep pointing out that IE and Adobe represent security failures of epic proportions people will stop using them.

Harry
Happy

"there aren't any good alternatives"

I've replaced it with Foxit reader. Seems OK so far.

Took only about two seconds to download and installed it is 9Mb instead of 143Mb.

Anonymous Coward
Anonymous Coward

@Mike F...

ooops whats this I see before me....

http://www.msisac.org/advisories/2010/2010-004.cfm

http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222300150

JMcL
FAIL

Piece of cr@p

Download manager completely failed to update Reader on at least 3 separate systems giving a completely unhelpful error non-message each time. After much searching, it appears to be due to some files in the Reader installation directory that were locked by Windows indexing service, but do you think Adobe would tell you that?

I've now disabled all Adobe update checks and manually update their bloatware by downloading the not very easy to find standalone installer.

jubtastic1
Grenade

Lets Get Loaded

"The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer"

Adobe, ActiveX, Reader, Flash and Exploder all in the same sentence, what are the odds?

Anonymous Coward
Flame

Adobe Download manager

One reason Flash has been uninstalled on my PCs

Martin Edwards

How to get Reader and Flash Player without the download manager

If you want the standalone installers because you look after a number of machines (or simply want to avoid the download manager) it's very easy: just ignore the prompt to install the download manager, and click the "If your download didn't start automatically..." link. As a bonus, in the case of Reader, you get it without the AIR and Adobe.com crapware.

Tom Chiverton 1

I wonder

I wonder if it's related to the good old 'spit out anything I enter' at http://feeds.adobe.com/index.cfm?query=byFeed&feedId=5457&feedName=No%20XSS%20of%20course ?

Anonymous Coward
Megaphone

Oops, Leakage.

The second screenshot is easily enough to guess the issue, it whitelists *.adobe.com urls then he uses the open redirector on feed.adobe.com (the obvious nextPage one) to 302 to his site.

http://feeds.adobe.com/controller.cfm?hastHandler&action=click&postId=1&nextPage=http://theregister.co.uk

Still, as it prompts first and is only installed transiently by nature, I agree with adobe, this is not a big deal. After all, what's the difference between just visiting http://evil.com/malware.exe and being prompted and getting prompted by some crappy control?

Anonymous Coward
Boffin
Reply Icon

Ha I was just about to post that...

Just went to feeds.adobe.com and hey presto!

but I wouldn't have revealed the handler in public just yet.

Anonymous Coward
Megaphone
Reply Icon

Surely you mean

http://feeds.adobe.com/controller.cfm?handler=PostHandler&action=click&postId=1&nextPage=http%3A%2F%2Fwww%2Etheregister%2Eco%2Euk

This topic is closed for new posts.