On Friday IT managers got a fresh reason, if they needed one, to keep Kazaa and Grokster peer-to-peer software off users' PCs: an unpatched security hole that affects both applications.
A vulnerability in Altnet Download Manager (ADM) 4.x, installed with Grokster and Kazaa, could allow an attacker to take over a vulnerable PC via a malicious Web page, according to an advisory from Danish security firm Secunia.
ADM is part of a marketing network that runs alongside standard peer-to-peer networks distributing sponsored content. It is installed by default alongside Kazaa and Grokster, two of the most popular file-sharing applications on the Internet. The bug has been confirmed on ADM versions 184.108.40.206 and 220.127.116.11, but may also affect other versions, Secunia said. ADM 18.104.22.168 is included in Kazaa 2.7.1, and ADM 22.214.171.124 is included in Grokster 2.6.
In the absence of a patch, Secunia advised users to remove ADM ("adm.exe") or uninstall the file-sharing software.
The vulnerability is caused by a boundary error in the "IsValidFile()" method in the ADM ActiveX control, according to Secunia. An attacker could exploit the bug via a website by sending an overly-long string to the "bstrFilepath" parameter, causing a stack-based buffer overflow and allowing the execution of malicious code, the firm said. The vulnerability's discoverer goes by the handle CelebrityHacker, Secunia said.
Secunia said the vulnerability is "highly critical", the fourth-highest of its five severity ratings.
Last week, serious flaws were revealed in WinZip versions 3.x, 6.x, 7.x, 8.x and 9.x that could allow an attacker to execute malicious code on a Windows PC, the WinZip Computing said. A day earlier the Massachussetts Institute of Technology (MIT) warned of vulnerabilities in Kerberos that could allow attackers free access to protected systems.