Akamai Download Manager is an integral component of Akamai's global distribution service. It is used to deliver big files quickly and reliably to users around world. Many software vendors such as Symantec and Microsoft have used it to provide downloads to the public.
Akamai provides both a Java Applet and ActiveX version of Download Manager. If a user uses the ActiveX control once, it will remain installed on the user's computer until manually removed. For More information, please visit following websites:
This vulnerability specifically exists in manager.exe when handling Redswoosh downloads. Redswoosh is a peer-to-peer content delivery technology. When a specifically malformed HTTP response is received, a stack buffer overflow will occur.
Exploitation allows an attacker to execute arbitrary code in the context of the user viewing a maliciously crafted Web page.
To exploit this vulnerability, an attacker would need to persuade a user to view a malicious Web page. This is usually accomplished by getting the targeted user to click a link.
iDefense has confirmed the existence of this vulnerability within version 188.8.131.52 of Akamai Technologies Inc's Download Manager. All older versions are suspected to be vulnerable.
Setting kill-bits for the associated CLSIDs will prevent Akamai Download Manager ActiveX control from being loaded within Internet Explorer, thereby preventing exploitation, which also may prevent Download Manager from working properly.
Version 184.108.40.206 CLSID: 4871A87A-BFDD-4106-8153-FFDE2BAC2967
Version 220.127.116.11 CLSID: 2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B
Version 18.104.22.168 CLSID: FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1
During prior iDefense testing, upgrading to a new version of Akamai Download Mangaer did not automatically uninstall or disable the prior versions, thus leaving the older version still vulnerable. iDefense recommends manually removing older version of Akamai Download Manager.
Akamai Technologies Inc has released a patch which addresses this issue. Information about downloadable vendor updates can be found by clicking on the URLs shown.
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
02/10/2009 - Initial Contact
02/10/2009 - Initial response / PoC requested
02/17/2009 - PoC requested
02/19/2009 - PoC sent
03/27/2009 - Fix received for eval
03/31/2009 - Fix Validated to Vendor
07/21/2009 - Disclosure date set
07/22/2009 - Coordinated Public Disclosure
This vulnerability was reported to iDefense by Stephen Fewer of Harmony Security (www.harmonysecurity.com).
Get paid for vulnerability research
Free tools, research and upcoming events
Copyright © 2009 Verisign, Inc.
Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDefense. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please e-mail customer service for permission.
Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.