Adobe plugs critical hole in Download Manager

Adobe issued a fix on Tuesday for a critical vulnerability in its Download Manager program that could be used by an attacker to download malware onto a user's PC.

People who downloaded Adobe Reader for Windows from Adobe's Reader download site or Flash Player for Windows from Adobe's Flash Player site prior to the release of the security bulletin on Tuesday are vulnerable, the company said. The issue is resolved for any new downloads of Reader and Flash Player from those sites.

Download Manager is a tool that helps users efficiently download files from Web servers. It is used one time per session and is deleted when the computer is restarted. However, Adobe recommends users verify that a potentially vulnerable version of the Adobe Download Manager is no longer installed on their machine by following instructions contained in the Solution section of the security bulletin.

Adobe warned of the vulnerability in a blog post on Thursday.

The company credited Israeli security researcher Aviv Raff, and Dutch researcher Yorick Koster working through the iDefense Vulnerability Contributor Program, for reporting the issue. Raff accused Adobe of downplaying the issue in a post on his blog on Thursday.

Asked for comment, an Adobe spokesperson provided this statement: "The security of our customers is a number one priority for Adobe, and we take all reports of potential security issues in our products and technologies very seriously. To report a security issue to Adobe directly, please visit the Adobe Web site, so we can quickly and appropriately address the issue for our customers."