Fortinet Discovers Critical Vulnerability for Akamai ActiveX Control

Parameter Injection Attack Caught by Fortinet Intrusion Prevention System

Malaysia, 13 June 2008 – Fortinet - the pioneer and leading provider of unified threat management (UTM) solutions - today announced that its FortiGuard Global Security Research Team has discovered a parameter injection vulnerability in the Akamai Download Manager. The vulnerability, which is protected by Fortinet’s intrusion prevention system (IPS), allows a remote file to be transferred to an arbitrary location on an end user’s system through Akamai’s ActiveX control. An attacker who successfully penetrates this vulnerability can then run arbitrary code on the user’s system and potentially exploit it for financial gain.

“Cyber criminals are becoming ever more sophisticated in the methods they use for obtaining personal information for malicious intent,” said Derek Manky, security researcher for Fortinet. “Exploits have the potential to be especially harmful, as when executed correctly, a malicious file could be downloaded in a ‘drive-by’ nature without user interaction.”

Customers who subscribe to Fortinet’s IPS service are already protected against this parameter injection attack. Users are encouraged to follow the solution provided by Akamai at http://www.securityfocus.com/archive/1/493077/30/0/threaded.

The FortiGuard Global Security Research Team has released a signature “Akamai.Download.Manager.ActiveX.Insecure.Parameter” on April 23rd, 2008, which covers this specific vulnerability. Additional information on this advisory can be found at http://www.fortiguardcenter.com/advisory/FGA-2008-13.html.

Fortinet’s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam. These services enable protection against threats on both application and network layers. FortiGuard Services are regularly updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.