No replies to this topic

[Stefan Krueger]

Some additional information about the recently reported security vulnerability in FLEXnet Connect:

According to Secunia the vulnerability is reported in versions 5.01.100.47363 and 6.0.100.60146 of the Update Service ActiveX control (isusweb.dll), but other versions may also be affected. It is recommended that you update all machines which have versions prior to 6.0.100.65101 installed, or set the kill bit for the affected control. For more information see the advisory from VeriSign iDefense Security Intelligence Service.

A stand-alone installer to update the FLEXnet Connect Client on your end users' machines is available (Download). Unfortunately the installer isn't digitally signed, so it will display a UAC dialog with yellow title bar on Windows Vista, warning about an unidentified program. Note that this stand-alone installer will not update the redistributables on your development machine. You need to install the latest Connect SDK to do this.

To update the files in the InstallShield Redist folders on your development machine, download and install the latest version of the FLEXnet Connect SDK. I did this on a machine which has both InstallShield 12 and InstallShield 2008 installed. This updated the files in the Macrovision\IS12\Redist\Update Service folder, but not in its IS2008 counterpart. So after installing the SDK you should verify the version numbers and update the files manually as needed.


For more news and articles please visit my blog at msmvps.com/blogs/installsite or subscribe to the RSS feed.