Within days of Adobe’s release of out-of-band security updates for both Acrobat and Reader, word now comes from security researcher Aviv Raff of another new vulnerability in an Adobe product.
The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader) to users’ systems. Normally, it cannot be used to download non-Adobe files onto users’ systems. However, according to Raff, a vulnerability in DLM that allows third parties to download and install files onto users’ systems, in effect, making it vulnerable for use as a malware downloader.
Raff has not released specific details about this vulnerability and has indicated that he would not do so until the problem has been resolved by Adobe. On Tuesday, Adobe released a new security bulletin indicating that it has resolved this issue. Users who used Adobe DLM to download either Flash or Acrobat from February 23, 2010 onward are safe; everyone else is advised to remove the ADM entry in the Add/Remove Programs applet in the Windows Control Panel.
This is not the first time DLM has proven vulnerable to malicious attacks. In fact, in January this year, a remote code execution vulnerability in the application was among those Adobe patched.
This was on top of a bug that Raff also discovered earlier, which allowed DLM to be triggered to download Adobe or Adobe-approved applications by going to a specific URL on the company’s site. In a situation where an unpatched vulnerability in an Adobe product was thus present, this bug could allow cybercriminals to install vulnerable applications onto users’ systems, which they could then exploit to execute malware.
Security Has a Price—Problems with Security Updates
Trend Micro researcher Rajiv Motwani notes that the combined impact of fixing these and other similar holes in a relatively short period of time are becoming problematic for users, particularly enterprises. In theory, Adobe is supposed to release quarterly security updates for its products but regular discoveries of new flaws have significantly been undermining its plan.
Though unscheduled patches pose problems for home users and small businesses, large enterprises face greater risks. System administrators traditionally loath to use automatic updates on enterprise systems, as this may cause disruptions to important business operations.
The burden of updating systems will then fall either on users or administrators—neither of whom think this is an appealing proposition. It is also likely that systems will not be updated, leaving them wide open to exploits. A Trusteer study found that this was exactly the case for Adobe products, revealing that only 7 percent of the total number of product users had updated versions of Acrobat while only 19 percent had updated Flash versions.
These concerns are always present for applications. However, for Adobe products like Flash and Acrobat, the risks are greater due to the vendor’s success. The same Trusteer study found that more than 90 percent of the total number of users run some version of Flash while 99 percent run Acrobat or Reader applications.
As Motwani notes, these two factors—Adobe’s high market penetration and users’ failure to regularly patch their systems—not only raise the number of systems that can potentially be affected. It also means that organizations face the added burden of testing each patch for stability and/or performance issues and of rolling it out in a phased manner.
Solutions and Best Practices
Consumers and small businesses will benefit most by applying any Adobe patch as soon as it is released. Both Flash and Acrobat products now include standard auto-update features that can be scheduled to check for updates on a regular basis.
Trend Micro OfficeScan™ enterprise users with the Intrusion Detection Firewall (IDF) plug-in helps protect against threats of this nature, thus providing protection until system administrators deem it acceptable to roll out relevant patches.