Doubts about yet another FLEXnet Connect/InstallShield Update Service vulnerability report

On June 4th TippingPoint, a provider of network-based intrusion prevention systems, reported a new buffer overflow vulnerability that affects Macrovision FLEXnet Connect version 6 and InstallShield Update Service versions 3-5.

TippingPoint Vulnerability Report

What puzzles me is the CLSID of the vulnerable ActiveX control: 85A4A99C-8C3D-499E-A386-E0743DFF8FB7. I couldn't find this CLSID in my registry. But instead I found reports which associate this CLSID with a vulnerable Yahoo Mesenger ActiveX control: US-CERT Vulnerability Note VU#388377

According to the TippingPoint review the vulnerable ActiveX control is in the file boisweb.dll. I don't have this file on my computer either, and I've never seen such a file. Searching the web for this file name found many copies and quotes of this vulnerability report, but nothing else.

This really makes me wonder how reliable this report from TippingPoint is. But they say you should be safe if you install the latest version of the FLEXnet Connect SDK which you should do anyway to address the other vulnerability.

Published Wednesday, June 06, 2007 11:58 AM by stefan
Filed under: , , ,

Comments

# re: Doubts about yet another FLEXnet Connect/InstallShield Update Service vulnerability report

Stefan- Google for "boisweb.dll -Macrovision" and you'll get one remaining link: http://support.businessobjects.com/downloads/microsoft/vs_2005/en/CRUpdate.msi when I look at the MSI it shows boisweb.dll gets installed to C:\WINDOWS\Downloaded Program Files. nstallShield Update Service Web Agent 3.10.100.1149 Copyright (C) 1990-2004 InstallShield Software Interesting enough the "Original File Name" attribute ( right click properties ) is isusweb.dll. The COM registration is BOWebAgent.WebAgent BOWebAgent.WebAgent.1 DWUSWebAgent.WebAgent DWUSWebAgent.WebAgent.1 {85A4A99C-8C3D-499E-A386-E0743DFF8FB7} {860DED3F-0DAE-4209-9805-F7F27310138E} {7803D1AB-3663-4EF0-B365-4275776FD047} TypeLib is {6C696C32-4AC1-43F1-B28B-ACD67D5857F2} [WindowsFolder]Downloaded Program Files InstallShield Update Service WebAgent 1.0 Type Library for Business Objects

Wednesday, June 06, 2007 11:53 AM by Christopher Painter

# re: Doubts about yet another FLEXnet Connect/InstallShield Update Service vulnerability report

When you do an admin install on this MSI, run the logfile to see what it sets INSTALLDIR to. I pass it in at the command line but it gets overriden during costing. It seems that BusinessObjects has renamed almost all of the IS dll's. issch.exe > boissch.exe ISDM.exe -> BOISDM.exe agent.exe -> boagent.exe _isusres.dll -> _boisres.dll isusweb.dll -> boisweb.dll How can you just take someone elses component key file that is hard wired with COM signatures, rename the files and deploy them to another destination? I'm sorry, but WTF were they thinking? Oh one last thing..... when you look at the SummaryInformationStream of this install you see the creating application is Wise for Windows Installer Professional 3.52

Wednesday, June 06, 2007 12:13 PM by Christopher Painter

# re: Doubts about yet another FLEXnet Connect/InstallShield Update Service vulnerability report

Christopher - good find! Now some name speculation: ISUS = InstallShield Update Service, so that explains isusweb.dll. Maybe boisweb.dll stands for "Business Objects InstallShield Web.dll", so maybe some customized version of the Update Service client? In this case I guess it would not be updated by installing the lastest FLEXnet Connect SDK version as the file name is different.

Wednesday, June 06, 2007 12:16 PM by stefan

# re: Doubts about yet another FLEXnet Connect/InstallShield Update Service vulnerability report

I don't have the backstory from InstallShield, but if I had to guess this isn't an official customized version. 1) The package is done in Wise 2) It looks like the files were just renamed and not built with new target names from a custom vendor branch. 3) The CLSID's did not change. My guess is that this is just the product of some BusinessObjects installation engineer's wierd imagination. Now to counter my thoughts, if I extract the COM data from boisweb.dll the ProgID is in fact different. So either this was some rebuild for BusinessObjects or someone took a hex editor to the DLL. What was the original ProgID? I don't know if they are the same length or not.

Wednesday, June 06, 2007 12:53 PM by Christopher Painter

# Macrovision preparing end-user patch for FLEXnet Connect/Update Service security issues

Updated information about the recent security vulnerability reports in Macrovision's FLEXnet Connect

Thursday, June 21, 2007 2:45 PM by InstallSite Blog

# Macrovision preparing end-user patch for FLEXnet Connect/Update Service security issues

Updated information about the recent security vulnerability reports in Macrovision's FLEXnet Connect

Sunday, January 20, 2008 6:04 AM by InstallSite Blog