SOURCE: Fortinet

June 10, 2008 13:00 ET

Fortinet Discovers Critical Vulnerability for Akamai ActiveX Control

Parameter Injection Attack Caught by Fortinet Intrusion Prevention System

SUNNYVALE, CA--(Marketwire - June 10, 2008) - Fortinet® -- the pioneer and leading provider of unified threat management (UTM) solutions -- today announced that its FortiGuard® Global Security Research Team has discovered a parameter injection vulnerability in the Akamai Download Manager. The vulnerability, which is protected by Fortinet's intrusion prevention system (IPS), allows a remote file to be transferred to an arbitrary location on an end user's system through Akamai's ActiveX control. An attacker who successfully penetrates this vulnerability can then run arbitrary code on the user's system and potentially exploit it for financial gain.

"Cyber criminals are becoming ever more sophisticated in the methods they use for obtaining personal information for malicious intent," said Derek Manky, security researcher for Fortinet. "Exploits have the potential to be especially harmful, as when executed correctly, a malicious file could be downloaded in a 'drive-by' nature without user interaction."

Customers who subscribe to Fortinet's IPS service are already protected against this parameter injection attack. Users are encouraged to follow the solution provided by Akamai at http://www.securityfocus.com/archive/1/493077/30/0/threaded. The FortiGuard Global Security Research Team has released a signature "Akamai.Download.Manager.ActiveX.Insecure.Parameter" (http://www.fortiguardcenter.com/ids/VID15566) on April 23rd, 2008, which covers this specific vulnerability. Additional information on this advisory can be found at http://www.fortiguardcenter.com/advisory/FGA-2008-13.html.

Fortinet's IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam. These services enable protection against threats on both application and network layers. FortiGuard Services are regularly updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate®, FortiMail™ and FortiClient™ products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat's lifecycle.

For ongoing threat research, bookmark the FortiGuard Center (http://www.fortiguardcenter.com/) or add it to your RSS feed by going to http://www.fortinet.com/FortiGuardCenter/rss/index.html. To learn more about FortiGuard Subscription Services, visit http://www.fortinet.com/products/fortiguard.html.

About Fortinet (www.fortinet.com)

Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection -- including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in seven programs by ICSA Labs: firewall, antivirus, IPSec, SSL, network IPS and anti-Spyware. Fortinet is privately held and based in Sunnyvale, California.

Copyright © 2008 Fortinet, Inc. All rights reserved. Fortinet is a registered trademark of Fortinet, Inc. FortiGate, FortiOS, FortiAnalyzer, FortiASIC, FortiCare, FortiManager, FortiWiFi, FortiGuard, FortiClient, FortiReporter and other names are trademarks of Fortinet, Inc. in the United States and/or other countries. All other trademarks referred to herein are the property of their respective owners.

Contact Information