__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN FLEXnet Connect 6.0 Security Patch [Macrovision Q113020] June 4, 2007 17:00 GMT Number R-258 ______________________________________________________________________________ PROBLEM: The Macrovision FLEXnet Connect Software Manager DWUpdateService ActiveX control fails to restrict access to its methods, which can allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system. PLATFORM: FLEXnet Connect 6.0 Update Servcie 3.x to 5.x DAMAGE: Can allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Can allow a remote, unauthenticated ASSESSMENT: attacker to execute arbitrary commands on a vulnerable system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-258.shtml ORIGINAL BULLETIN: http://support.installshield.com/kb/view.asp?articleid=Q113020 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-0328 ______________________________________________________________________________ [***** Start Macrovision Q113020 *****] INFO: FLEXnet Connect 6.0 Security Patch Document ID: Q113020 Last Revised On: Thursday, May 31, 2007 This article applies to the following: Product(s): Update Service 3.x Update Service 4.x Update Service 5.x FLEXnet Connect 6 Operating System(s): All Windows Summary On February 22, 2007, the United States Computer Emergency Readiness Team (US-CERT) published Vulnerability Note VU#847993 outlining the presence of a buffer overflow vulnerability in the FLEXnet Connect agent. At Macrovision, providing our customers with the most secure solutions has always been a top priority, and we have released a patch to solve this problem based on version 6.0 of the FLEXnet Connect Windows agent. NOTE: This vulnerability does not affect the Java agent. Also note that the security patch is included in the FLEXnet Connect 6.1 SDK, so there is no need to install the 6.0 SDK if the 6.1 agent is used. -------------------------------------------------------------------------------- Discussion We recommend you deploy this patch as soon as possible to your customer base. To do so, please follow the steps below: 1. To download the patch: First, uninstall the previous version of the Flexnet Connect SDK. The necessary files will not be updated if the new SDK applied over an older version. Download and install the updated FLEXnet Connect 6 SDK on your build system. The SDK can be found at: http://saturn.installshield.com/isus/600/windowssdk/flexnetconnectsdk.exe 2. To prepare the patch for deployment: The easiest way to do this is to first prepare a patch or upgrade to your application. If you are using the FLEXnet Connect integration with Macrovision’s InstallShield, the patch will automatically be included in the next application or patch you release. If you are not using these technologies, we have also provided an updated Windows Installer Merge Module (MSM, which can be found in the directory where the SDK is installed). 3. To release the patch: Create an update to your application and provide the patch to your customers using FLEXnet Connect. Additional Information If you have a Macrovision support plan and have any questions about this patch, please contact Macrovision Support at installshieldsupport@macrovision.com or use the number provided in your maintenance package. -------------------------------------------------------------------------------- References For more information on how to create an update in FLEXnet Connect, you can look here. [***** End Macrovision Q113020 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Macromedia for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-248: Security Vulnerabilities in the SOCKS Module of Sun Java System Web Proxy R-249: Avast! Antivirus Vulnerability R-250: File Security Update R-251: Apple QuickTime 7.1.6 Security Update R-252: Mozilla Layout Engine Vulnerable R-253: SeaMonkey Security Update R-254: Thunderbird Security Update R-255: Firefox Security Update R-256: Logitech VideoCall Vulnerabilities R-257: Open Ticket Request System (OTRS) Vulnerability