Wednesday, May 07, 2008 8:53 AM
cmosby
Akamai Download Manager Code Execution Vulnerability - Advisories - Secunia
Akamai Download Manager Code Execution Vulnerability
Secunia Advisory:
SA30037
Release Date:
2008-05-01
Last Update:
2008-05-06
Critical:
Highly critical
Impact:
System access
Where:
From remote
Solution Status:
Vendor Patch
Software:
Akamai Download Manager 2.x
CVE reference:
CVE-2007-6339 (Secunia mirror)
Description:
A vulnerability has been reported in Akamai Download Manager, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to certain undocumented object parameters, which can be exploited to e.g. download and execute malicious programs when a user is tricked into visiting a malicious site.
The vulnerability is reported in both the ActiveX and Java versions prior to 2.2.3.5.
Solution:
Fixed in version 2.2.3.5.
NOTE: Updating the product via the vendor update page does not properly remove the vulnerable ActiveX component and leaves affected systems still vulnerable to this issue.
Set the kill-bit for the affected ActiveX control.
Provided and/or discovered by:
Peter Vreugdenhil, reported via iDefense Labs.
Changelog:
2008-05-02: Updated advisory based on additional information from iDefense Labs.
2008-05-06: Updated "Solution" section with additional information from Secunia Research.
Original Advisory:
Akamai:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-April/061923.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=695