I have been uninstalling this whenever I see it, so it's good to see that my
suspicious nature has paid off.
------- Included Stuff Follows -------
SecurityUpdates for Adobe Reader, Acrobat - Krebs on Security Update
If you decide to do without Adobe Reader and uninstall it, you might
want to nix the Adobe Download Manager as well. Researcher Aviv Raff points
to
some nifty work he´s done which shows that Adobe´s Download Manager - which
ships with all new versions of Flash and Reader - can be forced to
reinstall
an application that´s been removed, such as Reader. According to Raff, a
Web
site could hijack the Adobe Download manager to download and install any of
the following:
* Adobe Flash 10
* Adobe Reader 9.3
* Adobe Reader 8.2
* Adobe Air 1.5.3
* ARH tool - allows silent installation of Adobe Air applications
* Google Toolbar 6.3
* McAfee Security Scan Plus
* New York Times Reader (via Adobe Air)
* Fanbase (via Adobe Air)
* Acrobat.com desktop shortcut
Raff writes: "So, even if you use an alternative PDF reader, an attacker
can force you to download and install Adobe Reader, and then exploit the
(yet
to be patched, but now known) vulnerability. The attacker can also exploit
0-
day vulnerabilities in any of the other products mentioned above." Read
more
on his findings at this link here.
--------- Included Stuff Ends ---------
More here with links:
http://www.krebsonsecurity.com/2010/02/security-updates-for-adobe-reader-acrobat/
See also:
Aviv Raff On .NET - May the force be with you
http://aviv.raffon.net/2010/02/15/MayTheForceBeWithYou.aspx
ASF Note: According to Aviv Raffon, Firefox users should disable or uninstall
the Adobe Download Manager extension in addition to uninstalling the Adobe
Download Manager program.
Of course, if you're constitutionally paranoid like me ;-) you won't have
either installed [grin].
Angus
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
