October 31st, 2007
Macrovision patches patch-delivery tool, leaves DRM zero-day wide open
Macrovision today released a patch for a very severe vulnerability in the FLEXnet Connect (InstallShield) patch-delivery offering but there’s still no word on a fix for a zero-day attack vector in the company’s Safedisc DRM application.
FLEXnet Connect, which lets users electronically deliver applications, patches, updates, and messages directly to third-party systems, has been updated to correct an ActiveX issue that could lead to code execution attacks.
[ SEE: Zero-day flaw in Macrovision DRM app under attack ]
A warning from iDefense spells out the risk scenario:
Exploitation allows attackers to execute arbitrary code with the privileges of the currently logged-in user. In order for exploitation to occur, users would be required to have a vulnerable version of the software installed and be lured to a malicious site. Even though the update control does display an interface, no additional interaction is required in order for exploitation to occur.
Since this control is marked “safe for scripting”, it can be launched from a web page without warning dialogs. While it is possible for an alert user to determine what is occurring and cancel the installation, the window of opportunity is small and based solely upon the time required for the system to complete the download.
Macrovision InstallShield Update Service versions 5.01.100.47363 and 6.0.100.60146 are confirmed vulnerable . Previous versions are also suspected to be at risk, iDefense said.
Patches are available for download at Macrovision’s FLEXnet Connect site.
Meanwhile, Windows users are still waiting for a known — and under attack — flaw affecting the Macrovision Safedisc (secdrv.sys) DRM scheme.
That vulnerability, which affects default installations of Windows XP and Windows 2003, can be exploited to overwrite arbitrary kernel memory and execute arbitrary code with SYSTEM privileges.
Proof-of-concept exploit code (.zip file) for the Safedisc issue is already in circulation. A functional exploit is commercially available through the CORE IMPACT and Immunity Canvas penetration testing platforms.
There is a strong likelihood that the Macromedia Safedisc patch will be bundled with Microsoft’s updates on Patch Tuesday next month (November 13, 2007).
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
