Adobe continues to be dogged by the vulnerability of some of its leading programs, including its own Download Manager program that was recently cited by Israeli security researcher Aviv Raff, as a serious security issue.
In late February, Adobe updated its security update on what it termed the ‘critical’ vulnerability in Adobe Reader 9.3 for Windows and Macintosh, as well as Adobe Reader 8.2 and Acrobat 8.2 for Windows and Macintosh. (The full security update is here.)
As noted on the CSOonline.com site, Brad Arkin, director of product security and privacy at Adobe System, spent a significant amount of time updating Adobe customers on these issues, at the recent RSA security conference.
While Arkin notes in the interview that Adobe is trying to achieve transparency, the latest fix last Tuesday in regard to its Download Manager program does not inspire confidence. For Aviv Raff’s part, his response to Adobe’s security release and statement on the Download Manager vulnerability that he as well as Dutch researcher Yorick Koster discovered was to note the company was reticent in his opinion to fully admit the design flaw.
Raff notes on his blog post, ‘I think they missed the whole point here. While it is true that Adobe Download manager is removed upon computer restart, the user, who has just updated their Adobe product (usually without requirement to restart the computer after the update), is still expose to forced automatic installation when they start their computer.’
Raff also stated on his blog that he’s already found another remote code execution flaw in the Adobe Download Manager, through which ‘an attacker can force an automatic download and installation of any executable he desires.’
For its part, Adobe has not responded to Raff’s newly found code execution flaw, and is still maintaining that the vulnerability has been addressed.