Jump to content


This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.
Photo

Security issues in InstallShield redistributables


2 replies to this topic

Stefan Krueger

Stefan Krueger

    InstallSite.org

  • Administrators
  • 13,269 posts

Posted 27 February 2007 - 11:54

Critical security vulnerabilities have been reported in two ActiveX controls and a Netscape plug-in that InstallShield/Macrovision products install on end user machines. The affected products are:

FLEXnet Connect / InstallShield Update Service
The InstallShield Update Service Web Agent ActiveX control contains a buffer overflow, which could allow an attacker to execute arbitrary code on a vulnerable system. (InstallShield Update Service is now called FLEXnet Connect)
Report details

InstallFromTheWeb
The InstallShield InstallFromTheWeb ActiveX control and Netscape plug-in both contain multiple buffer overflows, which could allow an attacker to execute arbitrary code on a vulnerable system.
Report details

According to the reports the vulnerabilities can be exploited for remote code execution if the victim visits a specially crafted web page or e-mail attachment. The only workaround at this time is setting the kill bit for the affected ActiveX controls and deleting the Netscape plug-in, as described in the vulnerability reports.

Regarding InstallFromTheWeb, Macrovision's position is:

InstallFromTheWeb is an obsolete product from Macrovision. This product has already passed it's end-of-life period, therefore Macrovision is no longer supporting this product.
We recommend, where it makes sense, that all IFTW customers use the current version of InstallShield, InstallShield 12, instead of InstallFromTheWeb. InstallShield 12 does not have the vulnerability issue.


[Update] InstallFromTheWeb was sold as a product from 1997 through early 2000, when it was replaced by One-Click Installs (OCI) in InstallShield Professional 6.2.

[Update] For FLEXnet Connect an update is being tested and is expected to be available in the next few business days, along with additional information.

Stefan Krueger

Stefan Krueger

    InstallSite.org

  • Administrators
  • 13,269 posts

Posted 27 February 2007 - 14:41

Updated information about FLEXnet Connect and IFTW.

Stefan Krueger

Stefan Krueger

    InstallSite.org

  • Administrators
  • 13,269 posts

Posted 05 March 2007 - 18:38

Today Macrovision released a patch to solve this problem based on version 6.0 of the FLEXnet Connect Windows agent. This does not affect the Java agent. It is recommended that you deploy this patch as soon as possible to your customer base. An e-mail with instructions has been sent to FLEXnet Connect customers.