ALERT: Akamai Download Manager Arbitrary Program Execution Vulnerability
Akamai supplies both an ActiveX and a Java based download manager. The ActiveX control remains installed on the users computer until it is manually removed. It is important to note that Akamai has been used by vendors such as Symantec and Microsoft (eg: Technet and MSDN) for file distribution.
Vulnerable versions:
Akamai Technologies Inc's DownloadManagerV2.ocx version 2.2.2.1
Akamai Technologies Inc's Download Manager Java Applet version 2.2.2.0
The security vulnerability makes it possible for an attacker to use the download manager to automatically download and execute files simply by tricking the victim into visiting a malicious web page.
The download manager user interface is displayed during an attack, but there may be insufficient time to cancel the download before exploitation occurs.
Workaround:
Setting kill-bits for the associated CLSIDs will prevent the ActiveX control from being loaded within Internet Explorer, being:
2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B
FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1
Disabling Java will prevent exploitation via the Java Applet.
Akamai has fixed this vulnerability in version 2.2.3.5 of their download manager product. Please refer to the following URL for upgrade instructions (and don't forget to make sure that the vulnerable activex control has been removed - you will find it in C:\Windows\Downloaded Program File. The file name is "DownloadManagerV2.ocx"):
http://dlm.tools.akamai.com/tools/upgrade.html
Cite: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=695