Adobe patches critical bug in Flash, Reader download tool

Urges Windows users to search PCs for flawed Adobe Download Manager

Adobe today patched a critical vulnerability in the Windows utility used to download the company's two most popular products, Adobe Reader and Flash Player.

It was the second time in the last six weeks that Adobe fixed a flaw in Download Manager, the program it installs on PCs when customers download Reader or Flash Player.

The bug, Adobe acknowledged in an advisory , "potentially allow[s] an attacker to download and install unauthorized software onto a user's system."

Israeli security researcher Aviv Raff disclosed the vulnerability last week, when he said that attackers could use the Download Manager to forcibly download and install any executable file, including attack code.

"If you go to Adobe's Web site to install a security update for Flash, you really expose yourself to a zero-day attack," Raff said.

Download Manager is not the update mechanism for Reader and Flash Player -- that's dubbed Adobe Updater -- but instead oversees file transfers from Adobe's site.

Among other things, the manager resumes interrupted downloads and queues up multiple files for download. The utility isn't an Adobe product, but rather a customized version of getPlus+, licensed from NOS Microsystems.

Although Download Manager is automatically removed from a Windows PC the next time the machine is restarted, Raff said it still posed a danger because some systems remain powered on for days or even weeks between reboots.

"Adobe recommends users verify that a potentially vulnerable version of the Adobe Download Manager is no longer installed on their machine," said Adobe in the advisory.

The steps Adobe urged involved searching the hard drive for a "C:\Program Files\NOS\" folder, or entering "services.msc" at a command line prompt in Windows, then deleting the "getPlus Helper" service from the ensuing list.

Users don't need to take any action with either Reader or Flash Player, said Adobe, as the vulnerability does not affect either program.

This wasn't the first time that a Download Manager component required patching. One of the six critical bugs Abode patched in Reader and Acrobat last month was within the NOS Microsystem's ActiveX control that allowed Internet Explorer to use Download Manager. The vulnerability had been reported to Adobe by Will Dormann, a researcher at the CERT Coordinating Center , last November.

Tags adobe readerMicrosoft Windowssecurityadobe

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld (US)

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?