ALERT: Akamai Download Manager Arbitrary Program Execution Vulnerability
Akamai supplies both an ActiveX and a Java based download manager. The ActiveX control remains installed on the users computer until it is manually removed. It is important to note that Akamai has been used by vendors such as Symantec and Microsoft (eg: Technet and MSDN) for file distribution.
Akamai Technologies Inc's DownloadManagerV2.ocx version 126.96.36.199
Akamai Technologies Inc's Download Manager Java Applet version 188.8.131.52
The security vulnerability makes it possible for an attacker to use the download manager to automatically download and execute files simply by tricking the victim into visiting a malicious web page.
The download manager user interface is displayed during an attack, but there may be insufficient time to cancel the download before exploitation occurs.
Setting kill-bits for the associated CLSIDs will prevent the ActiveX control from being loaded within Internet Explorer, being:
Disabling Java will prevent exploitation via the Java Applet.
Akamai has fixed this vulnerability in version 184.108.40.206 of their download manager product. Please refer to the following URL for upgrade instructions (and don't forget to make sure that the vulnerable activex control has been removed - you will find it in C:\Windows\Downloaded Program File. The file name is "DownloadManagerV2.ocx"):