FLEXnet Connect 6.1 Security Update
Acresso has published a fix for a security issue in FLEXnet Connect (previously called InstallShield Update Service) that was reported in September 2008.
The problem was that FLEXnet connect used an unauthenticated HTTP connection to download and execute scripts from the update server. Therefore an attacker could cause the client to execute malicious scripts, for instance by redirecting the connection using a proxy or a DNS attack.
The update is only available for FLEXnet Connect version 6.1. According to the US-CERT FLEXnet Connect version 11.1.100.17104 or higher is not affected by the problem.
Acresso’s knowledge base article about the security update has no technical details about how the problem was fixed.
The update is available for the FLEXnet Connect client agent which is already installed on end users’ computers and for the FLEXnet Connect SDK which developers adding FLEXnet Connect to their setup should install on their development machines.
To deploy the end user hotfix to your customers, create and publish an update to your product, as described in the knowledge base article.
To install the fixed SDK, you must first manually uninstall the previous version from your development machine (I wonder why Acresso isn’t using a Major Upgrade for this purpose).