A researcher has unearthed a bug in software used to install Adobe's ubiquitous Reader and Flash applications that can be exploited to remotely install malicious files on end user PCs. The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer. …
Adobe's download manager is complete shit. I hate it. Just give me the direct download to the file any day. I refuse to let the DM run whenever I get hit with it.
Use FF to download the Flash control for IE, and IE to download the Flash plugin for firefox/safari/chrome. That will give you the two standalone executables:
For Reader, go to ftp://ftp.adobe.com and download the installer without all the Air crap.
Never understtod why they needed it
Never made downloads faster and only added more holes. Too bad there aren't any good alternatives to their crap
We get it. Abode is shit at writing software. Please don't post an article every time a bug is exploited... that'd be a lot of boring articles. Better to tell us when they're all fixed
No-one used to
But, Adobe went on record a few weeks ago saying they didn't ship software with any bugs.
What did they /think/ would happen if they made a claim like that? Remember MS launching Vista as their "Most secure OS yet"? IIRC, several major flaws were discovered and exploited about half a day after the first release candidate went out to the public.
If you want to live in ignorance, then feel free to not read the articles and just get your spoon-fed updates from Adobe as and when (and now cross your fingers that it *is* an update from Adobe that you get).
The fact is that this particular flaw is a problem in a piece of software that isn't even useful, it just adds a layer of complexity to what should be a straightforward download and now it adds a security hole to go with it.
Adobe could fix this with a quick re-write of their web page, probably in less than half a day, but I can almost guarantee that they will persist with the download manager.
Chill out, Dan
Dan Goodin defintiely has an Adobe fixation.... one can only guess at why he hyper-ventilates every time a bug is revealed.
"The attack combines a vulnerability on Adobe's website with a defect in the download manager. The result: he was able to install and execute his own instance of the Windows calculator on a Register test machine."
::shakes head:: I guess I'll be getting calls, but I don't work on Windows anymore.
"Aviv demonstrated the exploit on the condition further technical details be withheld."
Good plan. Gives Adobe a day or so cushion to fix it before the exploit is in the wild ...
"Adobe Download Manager would be as good a place as any to start."
ITYM "Adobe products would be as good a thing as any to avoid."
three reasons I don't need to worry too much:
1. I'm using a Mac. D'ahh ha ha ha ha ha hahhh.
2. I'm running Firefox with Flashblock.
3. ActiveX? What is this ActiveX you speak of?
From one Mac user to another.
1. Don't do that. It gives the rest of is a bad name and it's fucking puerile. This sort of post gives certain intellectually challenged individuals an excuse to troll.
2. Firefox. It's got as many holes as any of the other browsers, and more of these are becoming apparent as it's popularity increases. Security through obscurity is no security at all.
Firefox exploits can be contained
Firefox does have exploits but it can be sandboxed and because its not deeply hooked into the OS there's little chance of getting round the sandbox. My copy only has access to a few folders, cannot install software or run external programs with enough file and|or system privileges to even work let alone do damage.
Remember: IE is evil because it deliberately pushes its bugs into the OS with high privileges, not because its buggy.
I guess we only need to wait until 24 March to find out just how cocksure you really are with your Apple.
My guess, sub 10 seconds again.
Apple Mac, the Ford transit of computer security.
If it means he's safe for another 5 weeks while all the PC users are potentially screwed then doesn't that say something...?
I seem to remember the last "hack" against OSX from last year - wasn't it reliant on about 10 or 12 things that just could never happen in the wild...?
It doesn't matter if the Mac is "the Ford transit of computer security" - we all lock our vans up tightly behind firewalls, don't we!
ActiveX and Security.
Ensuring the largest number of hackers gain access to the largest number of machines in 1 package.
And someone pointed out in another El Reg comments section that they thought DM was a vuln that needed checking.
Looks like they were right.
Have the underlying mechanism of ActiveX been ported to *any* other platform?
What is it FOR anyway?
Does it have a use in enterprise management of Adobe software installations? Does it balance load across multiple file servers? 'Cause for downloading a file and executing it, I don't see what this tool does for me that a web browser doesn't.
Why, what happens on 24 March?
What happens on 24th March
Probably this year's Pwn2Own thing, if memory serves me.
Shocked? not at all.
IE = Fail
Adobe = Fail
IE + Adobe = OMGWTFBBQ-EPIC FAIL!
And for exactly that reason I don't use either.
Hopefully, if they keep pointing out that IE and Adobe represent security failures of epic proportions people will stop using them.
"there aren't any good alternatives"
I've replaced it with Foxit reader. Seems OK so far.
Took only about two seconds to download and installed it is 9Mb instead of 143Mb.
ooops whats this I see before me....
Piece of cr@p
Download manager completely failed to update Reader on at least 3 separate systems giving a completely unhelpful error non-message each time. After much searching, it appears to be due to some files in the Reader installation directory that were locked by Windows indexing service, but do you think Adobe would tell you that?
I've now disabled all Adobe update checks and manually update their bloatware by downloading the not very easy to find standalone installer.
Lets Get Loaded
"The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer"
Adobe, ActiveX, Reader, Flash and Exploder all in the same sentence, what are the odds?
Adobe Download manager
One reason Flash has been uninstalled on my PCs
How to get Reader and Flash Player without the download manager
If you want the standalone installers because you look after a number of machines (or simply want to avoid the download manager) it's very easy: just ignore the prompt to install the download manager, and click the "If your download didn't start automatically..." link. As a bonus, in the case of Reader, you get it without the AIR and Adobe.com crapware.
I wonder if it's related to the good old 'spit out anything I enter' at http://feeds.adobe.com/index.cfm?query=byFeed&feedId=5457&feedName=No%20XSS%20of%20course ?
The second screenshot is easily enough to guess the issue, it whitelists *.adobe.com urls then he uses the open redirector on feed.adobe.com (the obvious nextPage one) to 302 to his site.
Still, as it prompts first and is only installed transiently by nature, I agree with adobe, this is not a big deal. After all, what's the difference between just visiting http://evil.com/malware.exe and being prompted and getting prompted by some crappy control?
Ha I was just about to post that...
Just went to feeds.adobe.com and hey presto!
but I wouldn't have revealed the handler in public just yet.
Surely you mean