back to article Researcher spies new Adobe code execution bug

A researcher has unearthed a bug in software used to install Adobe's ubiquitous Reader and Flash applications that can be exploited to remotely install malicious files on end user PCs. The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer. …

COMMENTS

This topic is closed for new posts.
  1. Dick Emery
    Thumb Down

    Horrible!

    Adobe's download manager is complete shit. I hate it. Just give me the direct download to the file any day. I refuse to let the DM run whenever I get hit with it.

    1. Al Jones

      Switcheroo

      Use FF to download the Flash control for IE, and IE to download the Flash plugin for firefox/safari/chrome. That will give you the two standalone executables:

      http://get.adobe.com/flashplayer/otherversions/

      For Reader, go to ftp://ftp.adobe.com and download the installer without all the Air crap.

  2. Crazy Operations Guy
    Unhappy

    Never understtod why they needed it

    Never made downloads faster and only added more holes. Too bad there aren't any good alternatives to their crap

  3. James 47
    Stop

    Ok!

    We get it. Abode is shit at writing software. Please don't post an article every time a bug is exploited... that'd be a lot of boring articles. Better to tell us when they're all fixed

    1. chr0m4t1c
      FAIL

      No-one used to

      But, Adobe went on record a few weeks ago saying they didn't ship software with any bugs.

      What did they /think/ would happen if they made a claim like that? Remember MS launching Vista as their "Most secure OS yet"? IIRC, several major flaws were discovered and exploited about half a day after the first release candidate went out to the public.

      If you want to live in ignorance, then feel free to not read the articles and just get your spoon-fed updates from Adobe as and when (and now cross your fingers that it *is* an update from Adobe that you get).

      The fact is that this particular flaw is a problem in a piece of software that isn't even useful, it just adds a layer of complexity to what should be a straightforward download and now it adds a security hole to go with it.

      Adobe could fix this with a quick re-write of their web page, probably in less than half a day, but I can almost guarantee that they will persist with the download manager.

    2. Anonymous Coward
      Anonymous Coward

      Chill out, Dan

      Dan Goodin defintiely has an Adobe fixation.... one can only guess at why he hyper-ventilates every time a bug is revealed.

  4. jake Silver badge

    Numpties.

    "The attack combines a vulnerability on Adobe's website with a defect in the download manager. The result: he was able to install and execute his own instance of the Windows calculator on a Register test machine."

    ::shakes head:: I guess I'll be getting calls, but I don't work on Windows anymore.

    "Aviv demonstrated the exploit on the condition further technical details be withheld."

    Good plan. Gives Adobe a day or so cushion to fix it before the exploit is in the wild ...

    "Adobe Download Manager would be as good a place as any to start."

    ITYM "Adobe products would be as good a thing as any to avoid."

  5. Mike Flugennock

    three reasons I don't need to worry too much:

    1. I'm using a Mac. D'ahh ha ha ha ha ha hahhh.

    2. I'm running Firefox with Flashblock.

    3. ActiveX? What is this ActiveX you speak of?

    1. Anonymous Coward
      Stop

      From one Mac user to another.

      1. Don't do that. It gives the rest of is a bad name and it's fucking puerile. This sort of post gives certain intellectually challenged individuals an excuse to troll.

      2. Firefox. It's got as many holes as any of the other browsers, and more of these are becoming apparent as it's popularity increases. Security through obscurity is no security at all.

      1. Paul Shirley
        Flame

        Firefox exploits can be contained

        Firefox does have exploits but it can be sandboxed and because its not deeply hooked into the OS there's little chance of getting round the sandbox. My copy only has access to a few folders, cannot install software or run external programs with enough file and|or system privileges to even work let alone do damage.

        Remember: IE is evil because it deliberately pushes its bugs into the OS with high privileges, not because its buggy.

  6. Neal 5

    @Mike Flugennock

    I guess we only need to wait until 24 March to find out just how cocksure you really are with your Apple.

    My guess, sub 10 seconds again.

    Apple Mac, the Ford transit of computer security.

    1. Anonymous Coward
      FAIL

      @Neal 5

      If it means he's safe for another 5 weeks while all the PC users are potentially screwed then doesn't that say something...?

      I seem to remember the last "hack" against OSX from last year - wasn't it reliant on about 10 or 12 things that just could never happen in the wild...?

      It doesn't matter if the Mac is "the Ford transit of computer security" - we all lock our vans up tightly behind firewalls, don't we!

  7. John Smith 19 Gold badge
    FAIL

    ActiveX and Security.

    Ensuring the largest number of hackers gain access to the largest number of machines in 1 package.

    And someone pointed out in another El Reg comments section that they thought DM was a vuln that needed checking.

    Looks like they were right.

    Have the underlying mechanism of ActiveX been ported to *any* other platform?

  8. Robert Carnegie Silver badge

    What is it FOR anyway?

    Does it have a use in enterprise management of Adobe software installations? Does it balance load across multiple file servers? 'Cause for downloading a file and executing it, I don't see what this tool does for me that a web browser doesn't.

  9. DZ-Jay

    @Neal 5

    Why, what happens on 24 March?

    -dZ.

    1. Will.
      Boffin

      What happens on 24th March

      Probably this year's Pwn2Own thing, if memory serves me.

  10. Stone Fox
    FAIL

    Shocked? not at all.

    IE = Fail

    Adobe = Fail

    IE + Adobe = OMGWTFBBQ-EPIC FAIL!

    And for exactly that reason I don't use either.

    @James47,

    Hopefully, if they keep pointing out that IE and Adobe represent security failures of epic proportions people will stop using them.

  11. Harry
    Happy

    "there aren't any good alternatives"

    I've replaced it with Foxit reader. Seems OK so far.

    Took only about two seconds to download and installed it is 9Mb instead of 143Mb.

  12. Anonymous Coward
    Anonymous Coward

    @Mike F...

    ooops whats this I see before me....

    http://www.msisac.org/advisories/2010/2010-004.cfm

    http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=222300150

  13. JMcL
    FAIL

    Piece of cr@p

    Download manager completely failed to update Reader on at least 3 separate systems giving a completely unhelpful error non-message each time. After much searching, it appears to be due to some files in the Reader installation directory that were locked by Windows indexing service, but do you think Adobe would tell you that?

    I've now disabled all Adobe update checks and manually update their bloatware by downloading the not very easy to find standalone installer.

  14. jubtastic1
    Grenade

    Lets Get Loaded

    "The Adobe Download Manager is an ActiveX script that is invoked when people install or update Reader or Flash using Internet Explorer"

    Adobe, ActiveX, Reader, Flash and Exploder all in the same sentence, what are the odds?

  15. Anonymous Coward
    Flame

    Adobe Download manager

    One reason Flash has been uninstalled on my PCs

  16. Martin Edwards

    How to get Reader and Flash Player without the download manager

    If you want the standalone installers because you look after a number of machines (or simply want to avoid the download manager) it's very easy: just ignore the prompt to install the download manager, and click the "If your download didn't start automatically..." link. As a bonus, in the case of Reader, you get it without the AIR and Adobe.com crapware.

  17. Tom Chiverton 1

    I wonder

    I wonder if it's related to the good old 'spit out anything I enter' at http://feeds.adobe.com/index.cfm?query=byFeed&feedId=5457&feedName=No%20XSS%20of%20course ?

  18. Anonymous Coward
    Megaphone

    Oops, Leakage.

    The second screenshot is easily enough to guess the issue, it whitelists *.adobe.com urls then he uses the open redirector on feed.adobe.com (the obvious nextPage one) to 302 to his site.

    http://feeds.adobe.com/controller.cfm?hastHandler&action=click&postId=1&nextPage=http://theregister.co.uk

    Still, as it prompts first and is only installed transiently by nature, I agree with adobe, this is not a big deal. After all, what's the difference between just visiting http://evil.com/malware.exe and being prompted and getting prompted by some crappy control?

    1. Anonymous Coward
      Boffin

      Ha I was just about to post that...

      Just went to feeds.adobe.com and hey presto!

      but I wouldn't have revealed the handler in public just yet.

    2. Anonymous Coward
      Megaphone

      Surely you mean

      http://feeds.adobe.com/controller.cfm?handler=PostHandler&action=click&postId=1&nextPage=http%3A%2F%2Fwww%2Etheregister%2Eco%2Euk

This topic is closed for new posts.