[NT] Macrovision InstallShield Update Service ActiveX Unsafe Method Vulnerability



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Macrovision InstallShield Update Service ActiveX Unsafe Method
Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.macrovision.com/products/installation/installshield.htm>
MacroVision InstallShield is "an installer solution utilized by many
software vendors in order to ensure that their products are delivered and
setup properly on the end-user systems. InstallSheild includes support for
an optional component called the 'Update Service'. This service allows
vendors to notify clients of product patches and updates, and allow them
to be easily installed". Remote exploitation of an unsafe method
vulnerability in Macrovision InstallShield Update Service allows attackers
to execute arbitrary code with the privileges of the currently logged-in
user.

DETAILS

Vulnerable Systems:
* Macrovision InstallShield Update version 5.01.100.47363, and
6.0.100.60146

The Update Service is implemented as an ActiveX control with the following
properties:

CLSID: E9880553-B8A7-4960-A668-95C68BED571E
File: C:\Windows\Downloaded Files\isusweb.dll
Version: 5.01.100.47363, and 6.0.100.60146

This control is marked "safe for scripting". Several methods within this
control can be utilized by attackers to download and launch arbitrary
executables.

Analysis:
Exploitation allows attackers to execute arbitrary code with the
privileges of the currently logged-in user. In order for exploitation to
occur, users would be required to have a vulnerable version of the
software installed and be lured to a malicious site. Even though the
update control does display an interface, no additional interaction is
required in order for exploitation to occur.

Since this control is marked "safe for scripting", it can be launched from
a web page without warning dialogs. While it is possible for an alert user
to determine what is occurring and cancel the installation, the window of
opportunity is small and based solely upon the time required for the
system to complete the download.

Workaround:
Administrators can set the kill-bit for the vulnerable ActiveX control
with the following .reg file. This will prevent the control from loading
within Internet Explorer.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E9880553-B8A7-4960-A668-95C68BED571E}]
"Compatibility Flags"=dword:00000400

Vendor response:
Macrovision has addressed this vulnerability by releasing updated versions
of their FlexNet and InstallShield products. They report that the new
versions are no longer marked as "safe for scripting". For more
information, consult the following URL:
<http://www.macrovision.com/promolanding/7660.htm>
http://www.macrovision.com/promolanding/7660.htm

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5660>
CVE-2007-5660

Disclosure timeline:
09/24/2007 - Initial vendor notification
09/24/2007 - Initial vendor response
10/31/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=618>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=618



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Multiple Vendor NOS Microsystems getPlus Downloader Stack Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... download, install, and update other software through the browser. ... Adobe uses this control ... for web based installations of Adobe Reader. ...
    (Securiteam)
  • [NT] RealTek HD Audio Codec Driver Local Privilege Escalation
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... overwrite as we can see in the following piece of code, note the memory is ... memory overwrite to divert to flow towards a ring0 shellcode. ... missing an important term in the equation to control the first ...
    (Securiteam)
  • Re: Installation Problems with COM Interop
    ... You said that you are using this "control" inside of VB6. ... the registry settings are created when you run the ... > where the output then gets packaged for installation using InstallShield ...
    (microsoft.public.dotnet.languages.csharp)
  • [NT] Shattering SEH III (Progress Bars)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... techniques been used against the progress bar control. ... for the use of different messages which we use to write our shellcode into ...
    (Securiteam)
  • Re: How to register ActiveX control with VBA?
    ... if access is already installed - then you can also use InstallShield to install mdb file, create a shortcut and install/register all ActiveX controls you using. ... shortcut .lnk and when needed registering the control. ... You have to register these controls during setup, ...
    (microsoft.public.access.modulesdaovba)