Security vulnerability in FLEXnet Connect/InstallShield Update Service end user ActiveX control (reported May 31, 2007)
The United States Computer Emergency Readiness Team (US-CERT) reports a newly found security vulnerability in Macrovision's FLEXnet Connect. It also affects end user machines where the update agent has been installed, which many setups created with InstallShield do by default.
FLEXnet Connect includes an ActiveX control called DWUpdateService, which is provided by the file agent.exe. This ActiveX control fails to restrict access to its methods, which can allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.
US-CERT Vulnerability Note VU#524681
Reportedly the vulnerability affects FLEXnet Connect 6.0 and InstallShield Update Service 3.x to 5.x. Macrovision released an update for this file, which had previously been affected by another vulnerability (US-CERT VU#847993):
FLEXnet Connect 6.0 Security Patch
If you are using the affected products, you should install the update and also deploy it to your customer base as soon as possible.