Thursday, November 01, 2007

[NT] Macrovision InstallShield Update Service ActiveX Unsafe Method Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Macrovision InstallShield Update Service ActiveX Unsafe Method
Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.macrovision.com/products/installation/installshield.htm>
MacroVision InstallShield is "an installer solution utilized by many
software vendors in order to ensure that their products are delivered and
setup properly on the end-user systems. InstallSheild includes support for
an optional component called the 'Update Service'. This service allows
vendors to notify clients of product patches and updates, and allow them
to be easily installed". Remote exploitation of an unsafe method
vulnerability in Macrovision InstallShield Update Service allows attackers
to execute arbitrary code with the privileges of the currently logged-in
user.

DETAILS

Vulnerable Systems:
* Macrovision InstallShield Update version 5.01.100.47363, and
6.0.100.60146

The Update Service is implemented as an ActiveX control with the following
properties:

CLSID: E9880553-B8A7-4960-A668-95C68BED571E
File: C:\Windows\Downloaded Files\isusweb.dll
Version: 5.01.100.47363, and 6.0.100.60146

This control is marked "safe for scripting". Several methods within this
control can be utilized by attackers to download and launch arbitrary
executables.

Analysis:
Exploitation allows attackers to execute arbitrary code with the
privileges of the currently logged-in user. In order for exploitation to
occur, users would be required to have a vulnerable version of the
software installed and be lured to a malicious site. Even though the
update control does display an interface, no additional interaction is
required in order for exploitation to occur.

Since this control is marked "safe for scripting", it can be launched from
a web page without warning dialogs. While it is possible for an alert user
to determine what is occurring and cancel the installation, the window of
opportunity is small and based solely upon the time required for the
system to complete the download.

Workaround:
Administrators can set the kill-bit for the vulnerable ActiveX control
with the following .reg file. This will prevent the control from loading
within Internet Explorer.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E9880553-B8A7-4960-A668-95C68BED571E}]
"Compatibility Flags"=dword:00000400

Vendor response:
Macrovision has addressed this vulnerability by releasing updated versions
of their FlexNet and InstallShield products. They report that the new
versions are no longer marked as "safe for scripting". For more
information, consult the following URL:
<http://www.macrovision.com/promolanding/7660.htm>

http://www.macrovision.com/promolanding/7660.htm

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5660>
CVE-2007-5660

Disclosure timeline:
09/24/2007 - Initial vendor notification
09/24/2007 - Initial vendor response
10/31/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense Labs.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=618>

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=618

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment