Adobe hit by new vulnerability

It may have been Photoshop's 20th birthday this week, giving Adobe one reason to celebrate, but beyond that the company is having a miserable time of late.

Having Steve Jobs slam its Flash player may not be fun but that's no reason to send Mac users Windows software updates, you'd think, but Adobe contrived to do just that this week.

And now it appears that Adobe's Download Manager is vulnerable to remote code execution making it useful for a hacker on the hack.

An insecurity researcher, Aviv Raff, found the flaw and said on his blog that it could allow a third-party application to be called and installed on a target machine.

Raff said: "Recently, I found a design flaw on Adobe's website, which allows the abuse of the Adobe Download Manager to force the automatic installation of Adobe products, as well as other software products (e.g., Google Toolbar)", he said.

But, "instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue", Raff wrote. He called Adobe's attitude "outrageous".

Adobe updated its initial response to news of the vulnerability, one Raff called less that honest. "Adobe is aware of the recently posted report of a remote code execution vulnerability in the Adobe Download Manager. We are working with the researcher, Aviv Raff, and the third party vendor of this component to investigate and resolve the issue as quickly as possible," Adobe said. "We will provide updates on this issue via the Adobe PSIRT blog and the Security Advisory section of the Adobe web site."