A security hole has been discovered in Adobe’s download manager, the browser script which Flash and Reader use to install or update.
The flaw could be used by an attacker to remotely execute a malicious program on a PC.
The exploit was demonstrated to The Register by researcher Aviv Raff, who used it to install and run his own Windows calculator on one of their test machines.
Raff commented: “Instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue.”
Apparently, in a response to a blogger who reported the flaw to Adobe, the company pointed out that the vulnerability only left users exposed until they rebooted their PC after an update by the download manager. That’s because the download manager removes itself after a restart.
However, if you don’t reboot your PC after an update, then you’re exposed to this potential problem.
And as some folks don’t restart their PC for long periods of time, Raff contends that Adobe should be taking this more seriously.
We’d certainly agree, and according to The Register, Adobe is now working with him on the issue.