Akamai Download Manager is an integral component of Akamai’s global distribution service. It is used to deliver big files quickly and reliably to users around world. It has been used by vendors such as Symantec and Microsoft to provide downloads to the public.

Akamai provides both an ActiveX and a Java based Download Manager. If a user uses the ActiveX control once, it will remain installed on the users computer until manually removed. For more information, please visit following web sites.

http://www.akamai.com/html/technology/products/http_downloads.html

http://www.akamai.com/html/solutions/electronic_software_delivery.html

Remote exploitation of a design error in Akamai Technologies, Inc’s Download Manager allows attackers to execute arbitrary code in the context of the current user.

The ActiveX control version has the following identifiers:

Class: DownloadManager Control
CLSID: 2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B
CLSID: FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1
ProgId: MANAGER.DLMCtrl.1.
File: C:WindowsDownloaded Program FilesDownloadManagerV2.ocx

The Java version has the following identifiers:

Class: com.akamai.dm.ui.applet.DMApplet.class
JAR: dlm-java-2.2.2.0.jar

This problem specifically exists due to two undocumented object parameters. By using these parameters, it is possible to cause Download Manager to automatically download and execute arbitrary binaries from attacker controlled locations.