Adobe plugs critical hole in Download Manager

[ronjor]

Quote:

by Elinor Mills

Adobe issued a fix on Tuesday for a critical vulnerability in its Download Manager program that could be used by an attacker to download malware onto a user's PC.

People who downloaded Adobe Reader for Windows from Adobe's Reader download site or Flash Player for Windows from Adobe's Flash Player site prior to the release of the security bulletin on Tuesday are vulnerable, the company said. The issue is resolved for any new downloads of Reader and Flash Player from those sites.

Story

[siljaline]

The Adobe Bulletin is here

[G1111]

Thanks Ron and siljaline - I checked and did not find the "NOS" folder or "getPlus(R) Helper" service.

[siljaline]

You are most welcome, if you are using Internet Explorer, check your add-ons as well, they may be lurking there. If found, disable or delete.

Quote:

To add or remove Add-ons, click Tools from the Command bar and select Manage Add-ons from the drop-down menu. From this menu you can view and manage a list of different Add-on Types you've got installed in the browser. To add more, click on the Find more providers... option at the bottom of the window. To delete an Add-on, highlight the one you wish to remove and select Remove, or select Disable if you wish to leave it installed but make it inactive.

Quote:

Originally Posted by G1111

Thanks Ron and siljaline - I checked and did not find the "NOS" folder or "getPlus(R) Helper" service.

[G1111]

Quote:

Originally Posted by siljaline

You are most welcome, if you are using Internet Explorer, check your add-ons as well, they may be lurking there. If found, disable or delete.

I seldom use IE8. I did check and found a BHO "Adobe PDF Link Helper" v9.3.0.148 12/21/2009. Should this be disabled?

[siljaline]

That is a valid BHO, leave as-is. I will post back more information to this thread later, when I am able to obtain more information.

Regards,

Quote:

Originally Posted by G1111

I seldom use IE8. I did check and found a BHO "Adobe PDF Link Helper" v9.3.0.148 12/21/2009. Should this be disabled?

[G1111]

Quote:

Originally Posted by siljaline

That is a valid BHO, leave as-is. I will post back more information to this thread later, when I am able to obtain more information.

Regards,

Okay, thanks siljaline.

[siljaline]

The findings regarding the vulnerabilities in Adobe's download manager have been unfortunately inconclusive.

For those that wish to view the Download Manager FAQ, it is here.

We in the security community are extremely disappointed of Adobe's overall performance as a software vendor and will continue to have this narrow view as long as Adobe remains the top Hacker target

Quote:

Originally Posted by G1111

Okay, thanks siljaline.

[Escalader]

FWIW, I have removed 99% of Adobe from my W7 64 bit notebook.

I use Foxit Reader V3.2.1.0401 (free) to read pdf files now seems fine do far.

The 1% of Adobe I haven't got yetdeals with Identity H and V in Adobe/Reader9.0/resource folder.

Has anybody got any clues on how to wipe these out?

It is a permissions issue from what I can tell.

[siljaline]

Some, out of privacy concerns are moving to Sumatra PDF Viewer, Escalader, though I have not tested it myself.

[Escalader]

Quote:

Originally Posted by siljaline

Some, out of privacy concerns are moving to Sumatra PDF Viewer, Escalader, though I have not tested it myself.

TY.

Do you mean privacy visa via Adobe or Foxit reader?

My FW rules prevent Foxit from using the www.

[siljaline]

You're welcome. Privacy from the point of view of Adobe patches which were recently fixed, out-of-band !

Foxit from a bloatware point of view, I have read numerous complaints since Foxit is the main replacement for Adobe Reader, etc, now. It has
swelled somewhat. Otherwise I could not comment.

Quote:

Originally Posted by Escalader

TY.

Do you mean privacy visa via Adobe or Foxit reader?

My FW rules prevent Foxit from using the www.

[Escalader]

Quote:

Originally Posted by siljaline

You're welcome. Privacy from the point of view of Adobe patches which were recently fixed, out-of-band !

Foxit from a bloatware point of view, I have read numerous complaints since Foxit is the main replacement for Adobe Reader, etc, now. It has
swelled somewhat. Otherwise I could not comment.

Well the Foxit web site has many addons they offer for a price.Maybe those cause bloat I don't have them so I don't know either.

The free reader I just put in uses 29,000 k peak. So in my case with a 8MB RAM it has very little impact.

[siljaline]

Thanks for sharing as I was not aware and quite likely others were not, as well.
Regards,

Quote:

Originally Posted by Escalader

Well the Foxit web site has many addons they offer for a price.Maybe those cause bloat I don't have them so I don't know either.

The free reader I just put in uses 29,000 k peak. So in my case with a 8MB RAM it has very little impact.

[Escalader]

Quote:

Originally Posted by siljaline

Thanks for sharing as I was not aware and quite likely others were not, as well.
Regards,

Further to the Adobe removal matter, I have NOT been successful in:

1) Finding an un-installer from the Adobe site for Adobe reader (9.x)

2) Two files remain IDENTITY-H and IDENTITY-V.

I have added them to my FW executable block list so OP thinks they can execute! That is interesting in itself!

As well, for good measure I've anti-leaked them to maximum. (no injectables, no hooking, no keylogging etc)

Any clues on how to rid these pests?


PS here is the path

C:\PROGRAM FILES (X86)\ADOBE\READER 9.0\RESOURCE\CMAP

[CloneRanger]

@Escalader

First remove the blocks etc you've put in place, then use the windows search for Adobe and delete everything you feel is correct. Then use a reg cleaner and do the same.

I've used those methods dozens of times over the years, with great success, hope you do too.

[Escalader]

Quote:

Originally Posted by CloneRanger

@Escalader

First remove the blocks etc you've put in place, then use the windows search for Adobe and delete everything you feel is correct. Then use a reg cleaner and do the same.

I've used those methods dozens of times over the years, with great success, hope you do too.

Hi Clone:

Did all those steps that BUT these 2 files are locked/protected.

I set Cleaner up to delete these BUT it failed. So did jv16.

My temporary Blocks are preventing them from executing only not from being deleted.

Thanks for replying.

[CloneRanger]

@Escalader

Quote:

Did all those steps that BUT these 2 files are locked/protected.

Ok, just that you didn't say

Try changing permissions on them and see if they unlock to delete. Also maybe try in safe mode.

[Escalader]

Quote:

Originally Posted by CloneRanger

@Escalader



Ok, just that you didn't say

Try changing permissions on them and see if they unlock to delete. Also maybe try in safe mode.

Sorry, just hoping for an easier solution. Permission won't change. These 2 nasties owned by SYSTEM. When I try to alter the permissions I am not allowed. To change to full control is greyed out. Fun eh! I am in windows 7.


UPDATE: VIA SPECIAL PERMISSIONS AND MOVING OWNERSHIP OF THESE FILES TO ME AS ADMIN I FINALLY DELETED THEM!

NOW I'M GOING FOR THE ADOBE FOLDER, DON'T RECOMMEND THIS TO ANYBODY UNLESS YOU HAVE AN IMAGE BACKUP! (i HAVE)

[CloneRanger]

@Escalader

Just seen your edit !

Presumed you were already in Admin mode to attempt this If you still havn't managed to delete them, then i guess it's time for Unlocker


Unlocker

Quote:

Cannot delete file: Access is denied
There has been a sharing violation.
The source or destination file may be in use.
The file is in use by another program or user.
Make sure the disk is not full or write-protected and that the file is not currently in use.

http://ccollomb.free.fr/unlocker

Used it many times and it's never failed for me, or lots of others. You might need to reboot afterwards.

Don't install the EBAY shortcut option, unless you want to

[Escalader]

Quote:

Originally Posted by CloneRanger

@Escalader

Just seen your edit !

Presumed you were already in Admin mode to attempt this If you still havn't managed to delete them, then i guess it's time for Unlocker


Unlocker






http://ccollomb.free.fr/unlocker

Used it many times and it's never failed for me, or lots of others. You might need to reboot afterwards.

Don't install the EBAY shortcut option, unless you want to

Thanks for the tip !

I'll get the Unlocker in case I ever need it in the future.

[CloneRanger]

@Escalader

Quote:

Thanks for the tip !

Pleasure, it's a goody to have around.

So does this mean that you totally Adobe free now ?

[Escalader]

Quote:

Originally Posted by CloneRanger

@Escalader



Pleasure, it's a goody to have around.

So does this mean that you totally Adobe free now ?

Yes!

I reran jv16 and zapped all the 250 adobe entries in the register.

Adobe is without doubt one of the most $%%#@@! pieces of intrusive software users have on their setups.
If you pass your mouse over it it tries to phone home!

The adobe is in my view not only hazardous it is a "bully".

Locking those 2 IDENTITY files is an example of their mind set.

[CloneRanger]

@Escalader

Good news but not about Adobe, and ALL those 250 entries still in the register, etc etc

Never use Adobe myself, glad i don't