Main Menu

VIP Services

Critical Alerts

- 28 May 2008

Adobe Flash Player Unspecified Remote Code Execution Vulnerability

 

- 11 Mar 2008

Microsoft Excel Multiple Remote Code Execution Vulnerabilities

 

- 16 Jan 2008

Microsoft Excel File Handling Remote Arbitrary Code Execution Vulnerability

 

- 13 Dec 2007

JustSystems Ichitaro "JSGCI.DLL" Document Processing Remote Buffer Overflow Vulnerability

 

- 11 Dec 2007

Microsoft Internet Explorer Multiple Remote Memory Corruption Vulnerabilities

 

Advisories » Macrovision FLEXnet Connect DownloadManager ActiveX Control Insecure Methods Vulnerability

 

Release Date: 15/01/2008 Severity: Highly Critical Highly Critical
SecWatch Advisory: SWID1020062 Cause: Not specified
Solution Status: Unpatched Impact: Execution of arbitrary code
Exploit Status: None Available Access Vector: From remote
 
Affected Software: Macrovision AdminStudio
Macrovision FLEXnet Connect 6.x
Macrovision InstallShield
Macrovision Update Service 2.x
Macrovision Update Service 3.x
Macrovision Update Service 4.x
Macrovision Update Service 5.x
 
Original Advisory: http://lists.grok.org.uk/pipermail/full-disclosure/2008-January/059611..
References: FrSIRT/ADV-2008-0145
Secunia: SA28496
Bugtraq ID: BID#27279

 

Description:

A vulnerability in Macrovision FLEXnet Connect has been reported, which can be exploited by remote users to compromise a user's system.

An error exists in the "AddFile()" and "RunScheduledJobs()" methods in the DownloadManager ActiveX control (ISDM.exe), which can be exploited to download an arbitrary file to a users machine which can also lead to certain files being overwritten.

 

Affected:

Macrovision FLEXnet Connect version 6.1.100.61372. Other versions may also be affected.

 

Solution:

There was no vendor-supplied solution at the time of entry.

Set the kill-bit for the affected ActiveX control CLSID {FCED4482-7CCB-4E6F-86C9-DCB22B52843C}.

 

Credits:

Elazar Broad

 

Free Vulnerability Notification Service

Receive free instant and customisable notifications of new vulnerabilities or exploits via e-mail, web or RSS feeds. Click here for more information.

 

Related Vulnerabilities and Exploits

01 Apr 08: Macrovision InstallShield InstallScript One-Click Install ActiveX..

01 Nov 07: Macrovision Products Update Service ActiveX Control Remote Insecu..

05 Jun 07: Macrovision FLEXnet boisweb.dll ActiveX Control Remote Buffer Ove..