Adobe has been hit by another security flaw - as well as the accusation that the firm has known about it for some time.
Security researcher Aviv Raff wrote in his blog that a "design flaw" on Adobe's own website allows its Download Manager to be used to force the installation of software.
"Instead of admitting that this design flaw is indeed a problem which can be abused by malicious attackers, Adobe decided to downplay this issue," Raff wrote in his blog.
He said fellow blogger Ryan Naraine notified Adobe of the problem, with the firm replying that the flaw wasn't serious, because it only allowed Adobe products to be downloaded.
"This specific design flaw does indeed force installation of the latest version of Adobe products," Raff said. "But, what if there is a zero-day flaw in an Adobe product, and you have decided to remove it from your system because of that zero-day?"
"This is not a far-fetched 'what if'. An attacker can force you to automatically download and install the vulnerable Adobe product, and then exploit the zero-day vulnerability in that product," he said. "This is the kind of scenario that's common when skilled, motivated attackers are going after select targets."
Raff added that since he first described the flaw, he has uncovered a remote code execution vulnerability in the Download Manager that would allow attackers to force users to download anything they choose.
"So, if you go to Adobe's website to install a security update for Flash, you really expose yourself to a zero-day attack," he claimed, adding he wouldn't release anymore details of the flaw until Adobe agrees to fix it. "I can only hope that Adobe will not downplay this vulnerability as well."
Raff noted Adobe wasn't the first firm to say a flaw wasn't as severe as researchers believe. "We all know what happens when a software vendor downplays the severity of a security vulnerability. It usually comes back to haunt them, when the vulnerability is eventually discovered by the bad guys and used to exploit innocent computer users."
"Microsoft, Apple and even Mozilla have all been guilty of this in the past," he added. "Lately (and sadly), Adobe has joined this train."
Adobe has not responded to our request for comment at the time of publication, but told The Register it was aware of the flaw and was working with Raff and the component's third party developer on a fix.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Warning issued over “incomplete” fix for Adobe ColdFusion vulnerabilityNews An incomplete fix for a vulnerability disclosure could be placing users at risk, researchers warned
-
Adobe forced to patch its own failed security updateNews Company issues new fix for e-commerce vulnerability after researchers bypass the original update
-
Ask more from your CMSWhitepaper How to get the most value in the shortest timespan
-
Adobe battles fake photos with editing tagsNews Photoshop will include new tagging tools later this year to help fight against misinformation and deep fakes
-
Adobe Photoshop Elements 2019 review: Trapped in the photo-editing middle groundReviews A once peerless beginner’s photo-editing package that’s past its prime
-
How Adobe saved BT £630,000Sponsored Adobe’s digital signature platform is saving time and money - and forging stronger connections between businesses and customers
-
Don't settle when it comes to creativitySponsored Getting the best out of your creative design team means equipping them with the best software
-
The benefits of a subscription serviceSponsored Why software vendors are increasingly moving to a subscription model
