Security Hotfix for InstallShield and AdminStudio available
Flexera Software published a security hotfix for their InstallShield and AdminStudio product lines.
The hotfix is available for the following product versions:
- InstallShield 2009
- InstallShield 2010
- InstallShield 2011
- InstallShield Limited Editions
- AdminStudio 9.0
- AdminStudio 9.5
- AdminStudio 10.0
- AdminStudio Limited Editions
Newer versions (e.g. InstallShield 2012) are not affected.
The knowledge base article doesn't say anything about older versions of InstallShield and AdminStudio, most of which are end of life and no longer supported. Only AdminStudio versions 8.0, 8.5 and 8.6 are still supported until March 1st, 2012. It's currently unclear if these versions are affected by the security problem and if there will be a hotfix. (Flexera Software's end of life policy can be found at http://www.flexerasoftware.com/support/end-of-life.htm)
I didn't find technical details about the vulnerability, but Tippingpoint lists advisory ZDI-CAN-1192 which is yet unpublished and may or may not be related to this hotfix. This advisory has a CVSS severity rating of 10, because the vulnerability can be exploited over the network, the complexity of the attack is low, and no authentication is required.
The security hotfix is not offered automatically via the update manager. Instead you have to download it from Knowledge Base article Q201079.
InstallShield and AdminStudio can be purchased from the InstallSite Shop at http://www.installsite.biz