Aviv Raff On .NET - May the force be with you

Monday, 15 February 2010

May the force be with you

Recently Adobe released a security update for a critical vulnerability in Adobe Flash (not related to the “Private Browsing” issue).
Adobe also issued a security advisory for Adobe Reader, where they plan to release an update for Adobe Reader (v9.3 and v8.2) “to resolve critical security issues, including the Flash Player issue described in Security Bulletin APSB10-06.”
So, you upgraded to the latest Flash version (10.0.45.2), and use an alternative PDF reader. You are safe from this vulnerability, right? You are probably not!
If you did upgrade to the latest version of Flash from the Adobe website, you very likely have Adobe Download Manager installed.
What is the Adobe Download Manager? “The Adobe Download Manager (Adobe DLM) is a small application that is used to deliver two of Adobe's most frequently downloaded products, Adobe Reader and Adobe Flash Player.”
Is the Adobe DLM safe to use? According to Adobe: “The Adobe DLM is signed by Adobe, uses SSL, MD5 checksum integrity verification, encryption and other methods to insure that the software you request is the software you receive from Adobe.”
Pay attention to the bold part of the last sentence. The reason I marked this part of the sentence is that apparently you can force automatic download and installation of software upon anyone who visit your website and have Adobe Download Manager installed. Safe to use, ha?

Any of the following can be forced to automatic download and install (Thanks Mike Bailey for helping me with the list!) :

Adobe Flash 10
Adobe Reader 9.3
Adobe Reader 8.2
Adobe Air 1.5.3
ARH tool - allows silent installation of Adobe Air applications
Google Toolbar 6.3
McAfee Security Scan Plus
New York Times Reader (via Adobe Air)
Fanbase (via Adobe Air)
Acrobat.com desktop shortcut

So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability. The attacker can also exploit 0-day vulnerabilities in any of the other products mentioned above.

To demonstrate this issue, you can simply click the following link: get.adobe.com/flashplayer/thankyou/activex/?installer=Flash_Player_10_for_Windows_Internet_Explorer&a=Google_Toolbar_6.3
Please note that if you have Adobe Download Manager installed, it will automatically download and install Google Toolbar 6.3.
(Firefox users should click this link: get.adobe.com/flashplayer/thankyou/xpi/?installer=Flash_Player_10_for_Windows_-_Other_Browsers&a=Google_Toolbar_6.3&xpiinstalled=1)
An attacker can either send a direct link to its victims or embed this link as an br on his website.

To prevent this, at-least until Adobe will fix this issue, I recommend Internet Explorer users to uninstall Adobe Download Manager via Add/Remove Programs. Firefox users should disable or uninstall the Adobe Download Manager extension.

Monday, 15 February 2010 12:23:35 UTC | Comments [5] | Security

Wednesday, 17 February 2010 08:34:28 UTC

Haha, nice one.
It won't be the simplest attack to coordinate, but definitely possible.

guya | guy111AT NOSPAMgmail dot com

Wednesday, 17 February 2010 15:11:58 UTC

We're considering removing Adobe software from our systems, because it is so difficult to patch. For instance, each time there is a Flash update, I have to fill out a form on the Adobe website, "apply" to "redistribute" flash on our intranet (because we use a software distribution systm, and do not allow users to install or update their own software). Even though I "apply" each time there's an update, and have a login to Adobe's site, I still have to apply each subsequent time. This time around, I applied a week ago, and still haven't been granted the right to access the redistributable version of Flash.

Maybe we'd all be better off without Adobe software on our systems. Even when there are fixes, they make the fixes hard to get.

setver

Wednesday, 17 February 2010 16:29:37 UTC

Very interesting. I obviously don't like this behavior. Hopefully Adobe fixes this soon. I do though like the concept of the ADM because it is a one stop shop to path all your adobe products ( I don't beleive this is just limited to just Reader and Flash, I noticed it also updated serveral of my CS4 products - Dreamweaver, photoshop, etc) similiar to Microsoft Update for Microsoft products. As a previous commenter pointed out, flash in particular has been a pain to update in the past.

Thank you for disclosing this. Hopefully it is fixed soon.

jmac

Wednesday, 24 February 2010 00:35:46 UTC

@setver: nice, my company is incredibly vulnerable - they don't push redist packages. Plus they have no common sense. Everytime we get an update for Java, their automated setup routine installs the latest Google/Bing toolbar, depending where they got their source. And of course then our web surf blocking software freaks out when it sees web-based traffic coming from the toolbar.

Shawn | shawn dot keeneAT NOSPAMgmail dot com

Friday, 26 February 2010 03:50:59 UTC

How about users without administrator privilege, Adobe DLM force to install software or fail?

henrich

Comments are closed.