We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Adobe patches another flaw in Download Manager

Bug lets hackers install software on a PC

Adobe has fixed a critical vulnerability in Download Manager for the second time in six weeks.

The program is used to download the company's two most popular products, Adobe Reader and Flash Player.

The bug, Adobe acknowledged in an advisory, "potentially allow[s] an attacker to download and install unauthorised software onto a user's system".

Israeli security researcher Aviv Raff disclosed the vulnerability last week, when he said that attackers could use the Download Manager to forcibly download and install any executable file, including attack code.

"If you go to Adobe's website to install a security update for Flash, you really expose yourself to a zero-day attack," Raff said.

Download Manager is not the update mechanism for Reader and Flash Player - that's called Adobe Updater - but instead oversees file transfers from Adobe's site.

Among other things, the manager resumes interrupted downloads and queues up multiple files for download. The utility isn't an Adobe product, but rather a customised version of getPlus+, licensed from NOS Microsystems.

Although Download Manager is automatically removed from a Windows PC the next time the machine is restarted, Raff said it still posed a danger because some systems remain powered on for days or even weeks between reboots.

"Adobe recommends users verify that a potentially vulnerable version of the Adobe Download Manager is no longer installed on their machine," said Adobe in the advisory.

The steps Adobe urged involved searching the hard drive for a 'C:\Program Files\NOS\' folder, or entering 'services.msc' at a command line prompt in Windows, then deleting the 'getPlus Helper' service from the ensuing list.

Users don't need to take any action with either Reader or Flash Player, said Adobe, as the vulnerability does not affect either program.

This isn't the first time that a Download Manager component has required patching. One of the six critical bugs Abode patched in Reader and Acrobat last month was within the NOS Microsystem's ActiveX control that allowed Internet Explorer to use Download Manager.

The vulnerability had been reported to Adobe by Will Dormann, a researcher at the CERT Coordinating Center, last November.

See also: Fix available for critical Adobe flaw


IDG UK Sites

iPad mini 3 vs iPad mini 2 comparison: New iPad mini 3 isn't worth £80 more

IDG UK Sites

Why you shouldn't buy the iPad mini 3: No wonder Apple gave it 10 seconds of stage time

IDG UK Sites

Halloween Photoshop tutorials: 13 masterclasses for horrifying art, designs and type

IDG UK Sites

Should I upgrade from Mavericks to OS X 10.10 Yosemite? What you need to know before updating to...