Home : Security : News

Did Adobe downplay security flaw?

A security researcher has accused Adobe of 'downplaying' the severity of a flaw.

By Nicole Kobie, 22 Feb 2010 at 10:33

Adobe has been hit by another security flaw - as well as the accusation that the firm has known about it for some time.

Security researcher Aviv Raff wrote in his blog that a "design flaw" on Adobe's own website allows its Download Manager to be used to force the installation of software.

"Instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue," Raff wrote in his blog.

He said fellow blogger Ryan Naraine notified Adobe of the problem, with the firm replying that the flaw wasn't serious, because it only allowed Adobe products to be downloaded.

"This specific design flaw does indeed force installation of the latest version of Adobe products," Raff said. "But, what if there is a zero-day flaw in an Adobe product, and you have decided to remove it from your system because of that zero-day?"

"This is not a far-fetched 'what if'. An attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product," he said. "This is the kind of scenario that’s common when skilled, motivated attackers are going after select targets."

Raff added that since he first described the flaw, he has uncovered a remote code execution vulnerability in the Download Manager that would allow attackers to force users to download anything they choose.

"So, if you go to Adobe’s website to install a security update for Flash, you really expose yourself to a zero-day attack," he claimed, adding he wouldn't release anymore details of the flaw until Adobe agrees to fix it. "I can only hope that Adobe will not downplay this vulnerability as well."

Raff noted Adobe wasn't the first firm to say a flaw wasn't as severe as researchers believe. "We all know what happens when a software vendor downplays the severity of a security vulnerability. It usually comes back to haunt them, when the vulnerability is eventually discovered by the bad guys and used to exploit innocent computer users."

"Microsoft, Apple and even Mozilla have all been guilty of this in the past," he added. "Lately (and sadly), Adobe has joined this train."

Adobe has not responded to our request for comment at the time of publication, but told The Register it was aware of the flaw and was working with Raff and the component's third party developer on a fix.

Email to a friend

Print this page

< Previous Security : News Next >

1 comments

You need to Login or Register to comment.

Don't use the Adobe download manager

I never use Adobe's download manager; I tried it once, it didn't provide any greater functionality than the download manager I already had, so it's pointless. The idea of installing a special download manager just to download one program is stupid anyway. There are lots of them available, including the one in Firefox, that allow you to pause and resume downloads - which is the only advantage the Adobe DM offers.

By greenknight32 on Tuesday Feb 23

Latest Security Analysis & Insight

What is your password worth?

Would you be tempted to sell off company passwords for a fee? If not, seems like you're in the minority, acccording to research.

More Security Analysis & Insight

Latest Security Reviews

Check Point 2210 Appliance review

Rating:

Check Point's new 2200 Appliances combined enterprise level network security with an SMB price tag. Its software blades provide a wealth of features, but do they complicate deployment? Read this exclusive review to find out.

More Security Reviews