New Adobe Download Manager Bug

Within days of Adobe’s release of out-of-band security updates for both Acrobat and Reader, word now comes from security researcher Aviv Raff, of another new vulnerability in an Adobe product.
The flaw was found in Adobe Download Manager (DLM), an application Adobe uses to deliver common applications (e.g., Flash and Reader) to users’ systems. Normally, it cannot be used to download non-Adobe files onto users’ systems. However, according to Raff, a vulnerability in DLM that allows third parties to download and install files onto users’ systems, in effect, making it vulnerable for use as a malware downloader.
Raff has not released specific details about this vulnerability and has indicated that he would not do so until the problem has been resolved by Adobe. On Tuesday, Adobe released a new security bulletin indicating that they have resolved this issue. Users who used Adobe DLM to download either Flash or Acrobat from February 23, 2010 onwards are safe; everyone else is advised to removed the Adobe Download Manager entry in the Add/Remove Programs applet in the Windows Control Panel.
This is not the first time DLM has proven vulnerable to malicious attacks. In fact, in January of this year, a remote code execution vulnerability in the application was among those Adobe patched.
This was on top of a bug that Raff also (continue reading...)