Release date: February 23, 2010
Last updated: February 25, 2010
Vulnerability identifier: APSB10-08
CVE number: CVE-2010-0189
Platform: Windows
A critical vulnerability has been identified in the Adobe Download Manager versions 1.6.2.60 and earlier on Windows. This vulnerability (CVE-2010-0189) could potentially allow an attacker to download and install unauthorized software onto a user's system.
Users, who have downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ or Adobe Flash Player for Windows from http://get.adobe.com/flashplayer/ prior to the release of this Security Bulletin on February 23, 2010, can verify they are not vulnerable to this Adobe Download Manager issue by following the instructions in the Solution section below.
Adobe Download Manager versions 1.6.2.60 and earlier on Windows (prior to February 23, 2010)
Users, who have downloaded Adobe Reader for Windows from http://get.adobe.com/reader/ or Adobe Flash Player for Windows from http://get.adobe.com/flashplayer/ prior to the release of this Security Bulletin on February 23, 2010, can verify they are not vulnerable to this Adobe Download Manager issue by following the instructions below:
If the NOS files are found, the Adobe Download Manager issue can be mitigated by:
OR
This issue is resolved as of Adobe Download Manager version 1.6.2.63, released February 23, 2010, and no action is required for future downloads of Adobe Reader from http://get.adobe.com/reader/ or Adobe Flash Player from http://get.adobe.com/flashplayer/.
Adobe categorizes this as a critical update. Users can remove potentially vulnerable installations of the Adobe Download Manager using the instructions in the Solution section above.
A critical vulnerability has been identified in the Adobe Download Manager versions 1.6.2.60 and earlier on Windows. This vulnerability (CVE-2010-0189) could potentially allow an attacker to download and install unauthorized software onto a user's system.
The Adobe Download Manager is intended for one-time use. The Adobe Download Manager is designed to remove itself from the computer after use at the next computer restart. However, Adobe recommends users verify that a potentially vulnerable version of the Adobe Download Manager (versions 1.6.2.60 and earlier on Windows) is no longer installed on their machine using the instructions in the Solution section above.
Adobe would like to thank the following individuals and organizations for reporting the relevant issue (CVE-2010-0189) and for working with Adobe to help protect our customers:
February 25, 2010 - Bulletin updated with version information, removed instructions for deleting service
February 23, 2010 - Bulletin first created