Adobe patches critical bug in Flash, Reader download tool
Urges Windows users to search PCs for flawed Adobe Download Manager
Computerworld - Adobe today patched a critical vulnerability in the Windows utility used to download the company's two most popular products, Adobe Reader and Flash Player.
It was the second time in the last six weeks that Adobe fixed a flaw in Download Manager, the program it installs on PCs when customers download Reader or Flash Player.
The bug, Adobe acknowledged in an advisory, "potentially allow[s] an attacker to download and install unauthorized software onto a user's system."
Israeli security researcher Aviv Raff disclosed the vulnerability last week, when he said that attackers could use the Download Manager to forcibly download and install any executable file, including attack code.
"If you go to Adobe's Web site to install a security update for Flash, you really expose yourself to a zero-day attack," Raff said.
Download Manager is not the update mechanism for Reader and Flash Player -- that's dubbed Adobe Update Manager -- but instead oversees file transfers from Adobe's site.
Among other things, the manager resumes interrupted downloads and queues up multiple files for download. The utility isn't an Adobe product, but rather a customized version of getPlus+, licensed from NOS Microsystems.
Although Download Manager is automatically removed from a Windows PC the next time the machine is restarted, Raff said it still posed a danger because some systems remain powered on for days or even weeks between reboots.
"Adobe recommends users verify that a potentially vulnerable version of the Adobe Download Manager is no longer installed on their machine," said Adobe in the advisory.
The steps Adobe urged involved searching the hard drive for a "C:\Program Files\NOS\" folder, or entering "services.msc" at a command line prompt in Windows, then deleting the "getPlus Helper" service from the ensuing list.
Users don't need to take any action with either Reader or Flash Player, said Adobe, as the vulnerability does not affect either program.
This wasn't the first time that a Download Manager component required patching. One of the six critical bugs Abode patched in Reader and Acrobat last month was within the NOS Microsystem's ActiveX control that allowed Internet Explorer to use Download Manager. The vulnerability had been reported to Adobe by Will Dormann, a researcher at the CERT Coordinating Center, last November.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Microsoft plans another short patch slate for next week, but finds a few XP bugs to crush
- Target attack shows danger of remotely accessible HVAC systems
- Target hackers try new ways to use stolen card data
- Update: Microsoft to patch just-revealed Windows zero-day tomorrow
- NSA spying prompts open TrueCrypt encryption software audit to go viral
- Microsoft warns of Office zero-day, active hacker exploits
- Hackers move to create next Blackhole after 'Paunch' arrest
- Adobe hack shows subscription software vendors lucrative targets
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- HP HAVEn: See the big picture in Big Data HP HAVEn is the industry's first comprehensive, scalable, open, and secure platform for Big Data. Enterprises are drowning in a sea of data...
- What Datapipe customers need to know about the new PCI DSS 3.0 compliance standard This handy quick reference outlines what PCI DSS 3.0 is, who needs to be compliant and how Alert Logic solutions address the new...
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well...
- The New Way to Work Knowledge Vault This Knowledge Vault focuses on how, in today's increasingly virtual world, it's more important than ever to engage deeply with employees, suppliers, partners,... All Malware and Vulnerabilities White Papers | Webcasts