A heads up to all IT people (and users) regarding the downloading of Adobe's Flash Player (or, what users think might be Adobe's Flash Player). Adobe has issued a warning regarding comments being posted to social networking sites that contain hyperlinks to imposter updates for the company's popular Flash Player plug-in.

According to a post by David Lenoe on Adobe's Product Security Incident Response Team blog (subscribe via Atom), the link, when clicked, tells users they need to update their Flash Player to continue. However, going through with the update results in the downloading of malware instead. According to Lenoe:

the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.

Lenoe goes on to talk about the importance of verifying the authenticity of the Flash Player download by checking the source (the domain should always be adobe.com) or, in the case of Windows only (*sigh*), verifying the download's digital signature. Writes Lenoe:

all Adobe software for Windows is signed with a digital certificate that is validated by Windows when you install our software. The Publisher will always be 'Adobe Systems, Incorporated', and you can verify this when you double-click the installer, or by right-clicking on the installer, selecting 'Properties', and going to the 'Digital Signatures' tab.

Lenoe is refering to the Authenticode process in Windows. When installing Adobe's Flash Player on Windows, the process is interrupted with a verification dialog that looks like this:

As you can see, it says the publisher is "Adobe Systems Incorporated." However, this dialog is not necessarily enough to guarantee the authenticity of the download. Users are encouraged to click on the publishers name to check that status of the digital certificate as well as the certificate authority (CA) that signed it. As can be seen from the image below, Adobe's digital certificates are signed by VeriSign (a very reputable CA).

There are plenty of installers in the wild that are not signed. This doesn't mean that the installer carries a malicious payload. It means that you have no way of guaranteeing the installer comes from the source it claims to come from, even if you downloaded it from the correct domain. If, for example, a hacker managed to compromise the download directory of that domain, s/he could also replace the download with a malicious imposter. This is why security experts warn users to be extremely careful when downloading and installing unsigned software.

Also, Lenoe mentions how users can right click on the installer to view its properties. Well, yes and no. If you install software from a downloaded installer that's represented by an icon on your destkop (or system), then yes. But, in most cases (including with the Flash Player installer), software is downloaded and installed directly from the Web in a way that the installer is never represented as a separate, clickable entity on the local filesystem (nor is the option to engage in more of a download-then-install-manually process presented).

Finally, while Adobe offers a means of downloading the Flash Player directly from its Web site, businesses can guarantee that their users are working with an installer that's been verified as the "Real McCoy" by distributing it on their own and advising employees to use the company-endorsed installer. Adobe's terms and conditions for redistribution of it's various "Web players" (Flash, Acrobat Reader, AIR, etc.) can be found here.

See also:

InfoWorld: Adobe warns of bogus Flash Player Installers

ZDNet: Adobe: Beware of fake Flash downloads