Design Flaw in AdobeUpdater.app can be Exploited by an Attacker
Friday, February 19, 2010 at 09:52AM
drStrangeP0rk in Adobe, Zero Day

It is being reported by Aviv Raff and now confirmed on the Adobe Security Blog that an issue exist with the Adobe Download Manager which could allow an attacker to force a download and installation of an Adobe product or of a malicious piece of software. He first reported to Adobe an issue related to the Download Manager which allowed an attacker to force the installation of an Adobe Product that has been removed.

Aviv Raff took this one step further and discovered a remote code execution flaw which allowed an attacker to install any malicious software using the Adobe Download Manager. It appears that the Adobe Download Manager does not use SSL which means that you expose yourself to a zero-day attack if you download an update from Adobe site.

Currently the exploit he has reported is not published but his posting on his site provides an outline of the exploit reported to Adobe. While his discovery is related to the AdobeDownloadManager for Windows systems. I have confirmed that the AdobeUpdate6.app for the Mac platform may also have this flaw. The Adobe Update6.app sends information over port 80 which can be exploited in a man-in-the middle attack. The Adobe Updater6.app does not use SSL properly so it is possible to alter the file to download and install files from an un-trusted source.

Users may want to turn off auto updates for Adobe products until more information become available. 

Update on Wednesday, February 24, 2010 at 08:14AM by Registered CommenterdrStrangeP0rk

Adobe has released a update for the Adobe Download Manager (which runs on the PC), however no update on the AdobeUpdater.app. The AdobeUpdater.app lives in Utilities/Adobe Utilities/, currently it is possible to connect to a site other then Adobe update page using simple man-in-the-middle attacks. The question is can this be exploited beyond the download.

One interesting note is that it does not contain andy Object-C runtime information but there are plenty of NIB's. 

/*
 *     Generated by class-dump 3.1.2.
 *
 *     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2007 by Steve Nygard.
 */This file does not contain any Objective-C runtime information.

/* *     Generated by class-dump 3.1.2. * *     class-dump is Copyright (C) 1997-1998, 2000-2001, 2004-2007 by Steve Nygard. */This file does not contain any Objective-C runtime information.

 

A good place to start looking at what code is shared with the PC code that they patched. Users should make sure that Preview.app is the current viewer preference for PDF files. 

 http://blogs.adobe.com/psirt/2010/02/security_update_released_for_t.html

Article originally appeared on magmatic.com (http://www.magmatic.com/).
See website for complete article licensing information.