[NT] Macrovision InstallShield Update Service ActiveX Unsafe Method Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 1 Nov 2007 11:10:49 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Macrovision InstallShield Update Service ActiveX Unsafe Method
MacroVision InstallShield is "an installer solution utilized by many
software vendors in order to ensure that their products are delivered and
setup properly on the end-user systems. InstallSheild includes support for
an optional component called the 'Update Service'. This service allows
vendors to notify clients of product patches and updates, and allow them
to be easily installed". Remote exploitation of an unsafe method
vulnerability in Macrovision InstallShield Update Service allows attackers
to execute arbitrary code with the privileges of the currently logged-in
* Macrovision InstallShield Update version 5.01.100.47363, and
The Update Service is implemented as an ActiveX control with the following
File: C:\Windows\Downloaded Files\isusweb.dll
Version: 5.01.100.47363, and 18.104.22.168146
This control is marked "safe for scripting". Several methods within this
control can be utilized by attackers to download and launch arbitrary
Exploitation allows attackers to execute arbitrary code with the
privileges of the currently logged-in user. In order for exploitation to
occur, users would be required to have a vulnerable version of the
software installed and be lured to a malicious site. Even though the
update control does display an interface, no additional interaction is
required in order for exploitation to occur.
Since this control is marked "safe for scripting", it can be launched from
a web page without warning dialogs. While it is possible for an alert user
to determine what is occurring and cancel the installation, the window of
opportunity is small and based solely upon the time required for the
system to complete the download.
Administrators can set the kill-bit for the vulnerable ActiveX control
with the following .reg file. This will prevent the control from loading
within Internet Explorer.
Windows Registry Editor Version 5.00
Macrovision has addressed this vulnerability by releasing updated versions
of their FlexNet and InstallShield products. They report that the new
versions are no longer marked as "safe for scripting". For more
information, consult the following URL:
09/24/2007 - Initial vendor notification
09/24/2007 - Initial vendor response
10/31/2007 - Coordinated public disclosure
The information has been provided by iDefense Labs.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next by Date: [NT] Symantec Altiris Deployment Solution TFTP/MTFTP Service Directory Traversal Vulnerability
- Next by thread: [NT] Symantec Altiris Deployment Solution TFTP/MTFTP Service Directory Traversal Vulnerability