1 reply to this topic

[Stefan Krueger]

The United States Computer Emergency Readiness Team (US-CERT) reports a newly found security vulnerability in Macrovision's FLEXnet Connect. It also affects end user machines where the update agent has been installed, which many setups created with InstallShield do by default.

FLEXnet Connect includes an ActiveX control called DWUpdateService, which is provided by the file agent.exe. This ActiveX control fails to restrict access to its methods, which can allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

US-CERT Vulnerability Note VU#524681

Reportedly the vulnerability affects FLEXnet Connect 6.0 and InstallShield Update Service 3.x to 5.x. Macrovision released an update for this file, which had previously been affected by another vulnerability (US-CERT VU#847993):

FLEXnet Connect 6.0 Security Patch

If you are using the affected products, you should install the update and also deploy it to your customer base as soon as possible.

[Stefan Krueger]

While doing some research on this vulnerability I checked several versions of the agent.exe redistributable and it seems that it's using different CLSIDs in each release. The US-CERT advisory recommends setting the kill-bit for the control. But since its CLSID keeps changing this is quite difficult. The CLSID listed in the US-CERT article appears to apply only to the latest (= fixed) version. So (unless I'm mistaken, which is quite possible) the kill-bit workaround from US-CERT will NOT work and you are still vulnerable.

For updates on this matter please see my blog at http://msmvps.com/bl...te/default.aspx