Jump to content

This is a ready-only archive of the InstallSite Forum. You cannot post any new content here. / Dies ist ein Archiv des InstallSite Forums. Hier können keine neuen Beiträge veröffentlicht werden.

Security Vulnerability in FLEXnet Connect

No replies to this topic

Stefan Krueger

Stefan Krueger


  • Administrators
  • 13,269 posts

Posted 19 September 2008 - 11:11

When checking for updates, the FLEXnet Connect client (and it's previous versions named InstallShield Update Service) can download and execute scripts from the update server. The problem is that these scripts are downloaded via HTTP, so the identity of the server isn't verified and the scripts are not encrypted. Therefore an attacker could cause the client to execute malicious scripts, for instance by redirecting the connection using a proxy or a DNS attack. There's no fix available but the following article from the US-CERT (United States Computer Emergency Readiness Team) lists some possible workarounds:

Vulnerability Note VU#837092: InstallShield / Macrovision / Acresso FLEXnet Connect insecurely retrieves and executes scripts