If at first you don't succeed; call it version 1.0
Thursday, February 18, 2010

We all know what happens when a software vendor downplays the severity of a security vulnerability. It usually comes back to haunt them, when the vulnerability is eventually discovered by the bad guys and used to exploit innocent computer users.

Microsoft, Apple and even Mozilla have all been guilty of this in the past. Lately (and sadly), Adobe has joined this train.

We all have heard about the recent zero-day vulnerabilities in several widely deployed Adobe products. Adobe’s response to some of them has been at times outrageous. As another example, I recommend reading this blog post by Mike Bailey, regarding Adobe’s response to his latest discovery of security problems with Adobe’s Flash Origin-Policy.

Recently, I found a design flaw on Adobe’s website, which allows the abuse of the Adobe Download Manager to force the automatic installation of Adobe products, as well as other software products (e.g. Google Toolbar).

Instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue. When ZDNet Zero Day blogger Ryan Naraine reported my discovery to Adobe, the company sent this response:

"A few important points:

  • The Adobe Download Manager is intended for one-time use. The Adobe Download Manager is designed to remove itself from the computer after use at the next restart. The user can also remove the Adobe Download Manager prior to this using Add/Remove Programs.
  • The Adobe Download Manager can only be used to download the latest version of software hosted on Adobe.com.
  • The Adobe Download Manager presents a very large user dialog box when downloading software…”

I think they missed the whole point here. While it is true that the Adobe Download Manager is removed upon computer restart, the user, who has just updated their Adobe product (usually without the requirement to restart the computer after the update), is still exposed to forced automatic installation until they restart their computer.

This specific design flaw does indeed force installation of the latest version of Adobe products. But, what if there is a zero-day flaw in an Adobe product, and you have decided to remove it from your system because of that zero-day?  This is not a far-fetched “what if”. An attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product.

This is the kind of scenario that’s common when skilled, motivated attackers are going after select targets.

And yes, you do get a big dialog box when you are forced to download the software. Like this will really matter to the attacker, when all he wants is to get his malicious software on your machine.

On the same day I published my last blog post, I found yet another issue — a remote code execution flaw in the Adobe Download Manager. Basically, what I found is that an attacker can force an automatic download and installation of ANY executable he desires. So, if you go to Adobe’s website to install a security update for Flash, you really expose yourself to a zero-day attack.

Until Adobe decides to fix this vulnerability, I’m going to withhold the technical details of how to exploit this vulnerability. But, I can say that Adobe’s claim in regards to Adobe Download Manager use of SSL in downloading the software is simply not true.

I can only hope that Adobe will not downplay this vulnerability as well.

[Cross-post on ZDNet's Zero-Day Blog]

 


Thursday, February 18, 2010 9:39:12 PM UTC | Comments [2] | Security#
Monday, February 15, 2010

Recently Adobe released a security update for a critical vulnerability in Adobe Flash (not related to the “Private Browsing” issue).
Adobe also issued a security advisory for Adobe Reader, where they plan to release an update for Adobe Reader (v9.3 and v8.2) “to resolve critical security issues, including the Flash Player issue described in Security Bulletin APSB10-06.”
So, you upgraded to the latest Flash version (10.0.45.2), and use an alternative PDF reader. You are safe from this vulnerability, right? You are probably not!
If you did upgrade to the latest version of Flash from the Adobe website, you very likely have Adobe Download Manager installed.
What is the Adobe Download Manager? “The Adobe Download Manager (Adobe DLM) is a small application that is used to deliver two of Adobe's most frequently downloaded products, Adobe Reader and Adobe Flash Player.”
Is the Adobe DLM safe to use? According to Adobe: “The Adobe DLM is signed by Adobe, uses SSL, MD5 checksum integrity verification, encryption and other methods to insure that the software you request is the software you receive from Adobe.”
Pay attention to the bold part of the last sentence. The reason I marked this part of the sentence is that apparently you can force automatic download and installation of software upon anyone who visit your website and have Adobe Download Manager installed. Safe to use, ha?

Any of the following can be forced to automatic download and install (Thanks Mike Bailey for helping me with the list!) :

  • Adobe Flash 10
  • Adobe Reader 9.3
  • Adobe Reader 8.2
  • Adobe Air 1.5.3
  • ARH tool - allows silent installation of Adobe Air applications
  • Google Toolbar 6.3
  • McAfee Security Scan Plus
  • New York Times Reader (via Adobe Air)
  • Fanbase (via Adobe Air)
  • Acrobat.com desktop shortcut

So, even if you use an alternative PDF reader, an attacker can force you to download and install Adobe Reader, and then exploit the (yet to be patched, but now known) vulnerability. The attacker can also exploit 0-day vulnerabilities in any of the other products mentioned above.

To demonstrate this issue, you can simply click the following link: http://get.adobe.com/flashplayer/thankyou/activex/?installer=Flash_Player_10_for_Windows_Internet_Explorer&a=Google_Toolbar_6.3
Please note that if you have Adobe Download Manager installed, it will automatically download and install Google Toolbar 6.3.
(Firefox users should click this link: http://get.adobe.com/flashplayer/thankyou/xpi/?installer=Flash_Player_10_for_Windows_-_Other_Browsers&a=Google_Toolbar_6.3&xpiinstalled=1)
An attacker can either send a direct link to its victims or embed this link as an IFrame on his website.

To prevent this, at-least until Adobe will fix this issue, I recommend Internet Explorer users to uninstall Adobe Download Manager via Add/Remove Programs. Firefox users should disable or uninstall the Adobe Download Manager extension.

 


Monday, February 15, 2010 12:23:35 PM UTC | Comments [5] | Security#
Sunday, February 14, 2010

It took Adobe over 6 months, and it seems that Flash will finally support "Private Browsing" in version 10.1.

You should all upgrade to this version when it will become available. Until then, your "Private Browsing" is not so private...

By the way, the latest Beta of Flash v10.1 discloses the current browsing mode (nice find, Guy A.!). I can only hope that Adobe will fix this weakness before releasing the final version.


Sunday, February 14, 2010 12:59:58 PM UTC | Comments [0] | Security#
Send me an Email
Follow me on Twitter
RSS Feeds
  
Blogroll
Archive
Admin Login
Sign In
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.