InstallSite Blog : FLEXnet Connect

FLEXnet Connect 6.1 Security Update

stefan — Mon, 16 Feb 2009 10:43:44 GMT

Acresso has published a fix for a security issue in FLEXnet Connect (previously called InstallShield Update Service) that was reported in September 2008.

The problem was that FLEXnet connect used an unauthenticated HTTP connection to download and execute scripts from the update server. Therefore an attacker could cause the client to execute malicious scripts, for instance by redirecting the connection using a proxy or a DNS attack.

The update is only available for FLEXnet Connect version 6.1. According to the US-CERT FLEXnet Connect version 11.1.100.17104 or higher is not affected by the problem.

Acresso’s knowledge base article about the security update has no technical details about how the problem was fixed.

The update is available for the FLEXnet Connect client agent which is already installed on end users’ computers and for the FLEXnet Connect SDK which developers adding FLEXnet Connect to their setup should install on their development machines.

To deploy the end user hotfix to your customers, create and publish an update to your product, as described in the knowledge base article.

To install the fixed SDK, you must first manually uninstall the previous version from your development machine (I wonder why Acresso isn’t using a Major Upgrade for this purpose).

Security Vulnerability in FLEXnet Connect / InstallShield Update Service

stefan — Thu, 18 Sep 2008 07:10:40 GMT

When checking for updates, the FLEXnet Connect client (and it's previous versions named InstallShield Update Service) can download and execute scripts from the update server. The problem is that these scripts are downloaded via HTTP, so the identity of the server isn't verified and the scripts are not encrypted. Therefore an attacker could cause the client to execute malicious scripts, for instance by redirecting the connection using a proxy or a DNS attack. There's no fix available but the following article from the US-CERT (United States Computer Emergency Readiness Team) lists some possible workarounds:

Vulnerability Note VU#837092: InstallShield / Macrovision / Acresso FLEXnet Connect insecurely retrieves and executes scripts

InstallShield 2009 Upgrade Caveats

stefan — Sat, 14 Jun 2008 10:07:20 GMT

There are many great new features, improvements and bug fixes in InstallShield 2009, as detailed in the release notes. But if you consider upgrading to the new version you also should be aware of some changes that might be a problem for your projects. I'd like to highlight the following issues, but please also review knowledge base article Q200151.

Stand Alone Build engine (SAB) is only available for owners of the Premier edition. It was removed from the Professional edition with the release of InstallShield 12, but users upgrading from InstallShield Professional 10.x or 11.x which included the SAB could get the current version free of charge. With InstallShield 2009 this is no longer possible. If you need the Stand Alone Build you must buy Premier.

FLEXnet Connect (formerly InstallShield Update Service) support is only available in MSI projects. If you are using pure InstallScript projects you can no longer add this update notification tool to your setup. For InstallScript MSI it is still available but some script functions related to FLEXnet Connect have been removed. For Basic MSI projects FLEXnet Connect continues to be supported as usual. (FLEXnet Connect is an add-on to InstallShield that is charged separately.)

For more information:

New Security Vulnerability in FLEXnet Connect

stefan — Sun, 20 Jan 2008 12:23:00 GMT

New reports about security vulnerabilities in Macrovision's FLEXnet Connect (formerly called InstallShield Update Service) have been published on January 15, ~~2007~~ 2008. The vulnerability would enable an attacker to remotely run malicious code on a users machine. The following files are affected:

isusweb.dll version 6.1.100.61372
ISDM.exe version 6.1.100.61372

Other versions may also be affected.

Sample exploit code is available on the web.

Macrovision has not yet replied to my request for a confirmation of these reports. As a workaround you should set the kill bit for the affected ActiveX controls (see below articles for details).

Setups created with Macrovision's InstallShield often ship the FLEXnet Connect/Update Service client by default, even if the author isn't actually using it. I recommend that you review your setup packages and inform your customers, if your setup installed the vulnerable files on their machines.

[edit 2008-02-25: corrected the date]

More on the security patch for FLEXnet Connect

stefan — Fri, 02 Nov 2007 11:18:00 GMT

Some additional information about the recently reported security vulnerability in FLEXnet Connect:

According to Secunia the vulnerability is reported in versions 5.01.100.47363 and 6.0.100.60146 of the Update Service ActiveX control (isusweb.dll), but other versions may also be affected. It is recommended that you update all machines which have versions prior to 6.0.100.65101 installed, or set the kill bit for the affected control. For more information see the advisory from VeriSign iDefense Security Intelligence Service.

A stand-alone installer to update the FLEXnet Connect Client on your end users' machines is available (Download). Unfortunately the installer isn't digitally signed, so it will display a UAC dialog with yellow title bar on Windows Vista, warning about an unidentified program. Note that this stand-alone installer will not update the redistributables on your development machine. You need to install the latest Connect SDK to do this.

To update the files in the InstallShield Redist folders on your development machine, download and install the latest version of the FLEXnet Connect SDK. I did this on a machine which has both InstallShield 12 and InstallShield 2008 installed. This updated the files in the Macrovision\IS12\Redist\Update Service folder, but not in its IS2008 counterpart. So after installing the SDK you should verify the version numbers and update the files manually as needed.

Security patch for FLEXnet Connect

stefan — Tue, 30 Oct 2007 17:00:00 GMT

Today, Macrovision Corp. notified customers of FLEXnet Connect® (formerly called InstallShield Update Service) of a security vulnerability in the FLEXnet Connect client version 6.0. Customers using the FLEXnet Connect functionality that is bundled with some editions of InstallShield and AdminStudio are also affected. The problem only exists in the Windows client, not the Universal client. Also, version 6.1 is not affected.

Macrovision has released a patch to fix the vulnerability. If you are using FLEXnet connect and distributed the client to your customers, you need to take action as soon as possible. After updating the Connect SDK on your development machine you have to create an update for your application setup and ship it to your customers in order to update the Connect client on their machines.

Macrovision knowledge base articles:

Side note: End users can't update the client dircetly from Macrovision because it was installed by your setup as a merge module. This servicing limitation is making merge modules less popular these days, see Rule 43 in the Tao of the Windows Installer.

Macrovision preparing end-user patch for FLEXnet Connect/Update Service security issues

stefan — Thu, 21 Jun 2007 19:32:00 GMT

Updated information about the recent security vulnerability reports in Macrovision's FLEXnet Connect and InstallShield Update Service products: Product manager Trent Wheeler told me they are currently in the process of rolling out the fix for the two problems reported by US-CERT to customers of InstallShield, AdminStudio, and other Macrovision products that utilize the FLEXnet Connect product.

And they are writing an additional patch, one that is appropriate for end-users of FLEXnet Connect to apply directly to the installed version of the agent rather than the intermediate consumers of the SDK. This will be made generally available to customers of Macrovision's products that utilize FLEXnet Connect, and to interested 3rd parties, as soon as it clears QA.

Doubts about yet another FLEXnet Connect/InstallShield Update Service vulnerability report

stefan — Wed, 06 Jun 2007 09:58:00 GMT

On June 4th TippingPoint, a provider of network-based intrusion prevention systems, reported a new buffer overflow vulnerability that affects Macrovision FLEXnet Connect version 6 and InstallShield Update Service versions 3-5.

TippingPoint Vulnerability Report

What puzzles me is the CLSID of the vulnerable ActiveX control: 85A4A99C-8C3D-499E-A386-E0743DFF8FB7. I couldn't find this CLSID in my registry. But instead I found reports which associate this CLSID with a vulnerable Yahoo Mesenger ActiveX control: US-CERT Vulnerability Note VU#388377

According to the TippingPoint review the vulnerable ActiveX control is in the file boisweb.dll. I don't have this file on my computer either, and I've never seen such a file. Searching the web for this file name found many copies and quotes of this vulnerability report, but nothing else.

This really makes me wonder how reliable this report from TippingPoint is. But they say you should be safe if you install the latest version of the FLEXnet Connect SDK which you should do anyway to address the other vulnerability.

Update on the FLEXnet Connect/InstallShield Update Service vulnerability

stefan — Sat, 02 Jun 2007 12:46:00 GMT

While doing some research on the security vulnerability in FLEXnet Connect and InstallShield Update Service I checked several versions of the agent.exe redistributable and it seems that it's using different CLSIDs in each release. The US-CERT advisory recommends setting the kill-bit for the control. But since its CLSID keeps changing this is quite difficult. The CLSID listed in the US-CERT article appears to apply only to the latest (= fixed) version. So (unless I'm mistaken, which is quite possible) the kill-bit workaround from US-CERT will NOT work and you are still vulnerable.

Security vulnerability in FLEXnet Connect/InstallShield Update Service end user ActiveX control (reported May 31, 2007)

stefan — Fri, 01 Jun 2007 12:53:00 GMT

The United States Computer Emergency Readiness Team (US-CERT) reports a newly found security vulnerability in Macrovision's FLEXnet Connect. It also affects end user machines where the update agent has been installed, which many setups created with InstallShield do by default.

FLEXnet Connect includes an ActiveX control called DWUpdateService, which is provided by the file agent.exe. This ActiveX control fails to restrict access to its methods, which can allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

US-CERT Vulnerability Note VU#524681

Reportedly the vulnerability affects FLEXnet Connect 6.0 and InstallShield Update Service 3.x to 5.x. Macrovision released an update for this file, which had previously been affected by another vulnerability (US-CERT VU#847993):

FLEXnet Connect 6.0 Security Patch

If you are using the affected products, you should install the update and also deploy it to your customer base as soon as possible.

Security Vulnerabilities in InstallShield Runtime Files on End User Machines

stefan — Mon, 05 Mar 2007 17:55:00 GMT

The United States Computer Emergency Readiness Team (US-CERT) reported critical security vulnerabilities in two ActiveX controls and a Netscape plug-in that InstallShield/Macrovision products install on end user machines. According to the reports the vulnerabilities can be exploited execute arbitrary code if the victim views a specially crafted HTML document, e.g. a web page or an HTML e-mail.

The affected products are:

FLEXnet Connect / InstallShield Update Service

The InstallShield Update Service Web Agent ActiveX control contains a buffer overflow, which could allow an attacker to execute arbitrary code on a vulnerable system. InstallShield Update Service is now called FLEXnet Connect.

US-CERT Report

Macrovision has released a patch to solve this problem based on version 6.0 of the FLEXnet Connect Windows agent. This does not affect the Java agent. It is recommended that you deploy this patch as soon as possible to your customer base. An e-mail with instructions has been sent to FLEXnet Connect customers.
Alternatively you can set the kill bit for the affected ActiveX control as described in the US-CERT report.

InstallFromTheWeb (IFTW)

The InstallShield InstallFromTheWeb ActiveX control and Netscape plug-in both contain multiple buffer overflows, which could allow an attacker to execute arbitrary code on a vulnerable system.

US-CERT Report

Macrovision sent me the following reply when I asked them for a comment on the IFTW vulnerability:

Regarding InstallFromTheWeb, our position is that InstallFromTheWeb is an obsolete product from Macrovision. This product has already passed it's end-of-life period, therefore Macrovision is no longer supporting this product.
We recommend, where it makes sense, that all IFTW customers use the current version of InstallShield, InstallShield 12, instead of InstallFromTheWeb. InstallShield 12 does not have the vulnerability issue.

InstallFromTheWeb was sold as a product from 1997 through early 2000, when it was replaced by One-Click Installs (OCI) in InstallShield Professional 6.2.

The workaround for the IFTW vulnerability is setting the kill bit for the affected ActiveX control, or deleting the Netscape plug-in, respectively, as described in the US-CERT report.