[NT] Macrovision InstallShield InstallScript One-Click Install Untrusted Library Loading Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Macrovision InstallShield InstallScript One-Click Install Untrusted
Library Loading Vulnerability
------------------------------------------------------------------------


SUMMARY

Macrovision <InstallShield> InstallShield InstallScript One-Click Install
(OCI) is "a web based installer technology that allows software publishers
to distribute minimal installer packages which allow end users to select
components to install. Upon first visiting such a website, the user is
prompted to install the ActiveX control". Remote exploitation of an
untrusted library loading vulnerability in Macrovision's InstallShield
InstallScript One-Click Install ActiveX control allows remote attackers to
execute code with the privileges of the currently logged in user.

DETAILS

Vulnerable Systems:
* Macrovision InstallShield InstallScript One-Click Install ActiveX
Control version 12.0

Immune Systems:
* Macrovision InstallShield InstallScript One-Click Install ActiveX
Control version 12.0 with SP2

InstallShield InstallScript "One-Click Install" is implemented in an
ActiveX control with the following properties:
File: %WINDIR%\Downloaded Program Files\setup.exe
CLSID: 53D40FAA-4E21-459f-AA87-E4D97FC3245A

This control is marked "safe for scripting".

When a user visits a website from which a web install can be performed,
the ActiveX control downloads and loads several DLL files from the remote
website. Since no sanity checks are performed on the DLL files, an
attacker can substitute specially crafted libraries that will execute
arbitrary code when loaded.

Analysis:
Exploitation allows attackers to execute arbitrary code with the
privileges of the currently logged-in user. In order for exploitation to
occur, users would be required to have a vulnerable version of the ActiveX
control installed and be lured to a malicious site.

Workaround:
Administrators can set the kill-bit for the vulnerable ActiveX control
with the following .reg file. This will prevent the control from loading
within Internet Explorer.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{53D40FAA-4E21-459f-AA87-E4D97FC3245A}]
"Compatibility Flags"=dword:00000400

Vendor response:
Macrovision has addressed this vulnerability by releasing a hotfix for the
following products.

FLEXnet InstallShield 12 Professional (with InstallShield 12 SP2)
FLEXnet InstallShield 12 Premier (with InstallShield 12 SP2)

For more information, consult their Knowledge Base article at the
following URL.


<http://knowledge.macrovision.com/selfservice/microsites/search.do?cmd=displayKC&externalId=Q113640> http://knowledge.macrovision.com/selfservice/microsites/search.do?cmd=displayKC&externalId=Q113640

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5661>
CVE-2007-5661

Disclosure timeline:
01/08/2007 - Initial vendor notification
04/17/2007 - Second vendor notification
04/18/2007 - Initial vendor response
03/31/2008 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=649>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=649



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: XP Service Pack 3 Release Cand. 2 (Build 3311) TS Web ActiveX issu
    ... My problem is that I cannot download the ActiveX control for TSWeb (2003 ... one thing of note is that I have another XP machine with SP3 RC1 -> RC2 ... Before installing RC2, I tried to install the RDC ActiveX control ...
    (microsoft.public.windowsxp.general)
  • [NT] Level Platforms Service Center Install Data HTTP Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Level Platforms Service Center Install Data HTTP Vulnerability ... and a Onsite Manager component. ...
    (Securiteam)
  • Re: PhotoStory 3 released
    ... showing the download button. ... your security settings from IE>Tools>Internet Options>Security. ... >> *automatically* install an activeX control. ...
    (microsoft.public.windowsxp.moviemaker)
  • Re: Unable to install Virutal Machine Remote Control Advanced Acti
    ... What happens when you try to install this specific ActiveX Control? ... See if disabling Spyware Doctor OnGuard makes any difference: ... I am unable to install Microsoft Virtual Machine Remote Control Advanced ... ActiveX Control for accessing Technet Virtual labs on my machine. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Question on ports and Remote Desktop web access
    ... page, then any time I'm on a new computer that needs the ActiveX control, I ... go there first and download it, which only takes a few seconds. ... >> still not install from my host computer. ...
    (microsoft.public.windowsxp.work_remotely)