Friday, February 19, 2010

Adobe Download Manager Installing Software Without Consent

Slashdot is running an article about a problem in the Adobe Download Manager (ADM) found by Researcher Aviv Raff. The net effect of the problem is that a user can be tricked into downloading and installing software without actual consent.

In a related article in PCMAG.COM, Raff's list of the following software can be downloaded and installed for users that have ADM installed by merely following a link to Adobe's site, including Adobe Flash 10, Adobe Reader 9.3, Adobe Reader 8.2, Google Toolbar6.3, McAfee Security Scan Plus and a half dozen more.

The ADM FAQ explains that ADM is installed when needed and removed when the system reboots. However, this ignores the fact that Adobe downloads don't tyically require a reboot and users might go a long time between them.

Raff also announced that he had found a remote code execution bug in ADM, increasing the danger of remote compromise by an order of magnitude or two.

See more at Security Watch.