Menu
Macrovision patch service sports fatal flaw

Macrovision patch service sports fatal flaw

Researcher warns users to expect attacks

Macrovision patched a critical bug in the update service software it licenses to third-party developers as a researcher warned users to expect attacks.

FLEXNet, an update add-on that Macrovision sells as an option to developers who use the company's InstallShield installer, includes an ActiveX control that sports a major design flaw, said Dave Zimmer, a security engineer at VeriSign's iDefense Labs. To exploit the bug, all hackers need to do is draw users who have the ActiveX control to a malicious site; the actual attack would be unnoticed.

"No complex skills are needed to use this one," said Zimmer.

The bug isn't in the control's code, he said, but is a design flaw. "When we talked to Macrovision, they said they never intended to mark it safe for scripting," Zimmer said. "It was clearly an oversight on their part."

Because the control is marked safe for scripting, it can be launched from a site sans warning dialogs, letting attackers hijack a Windows PC with ease. "It's pretty clear that this is exploitable. There are no real barriers," said Zimmer, who predicted that attacks would show up soon. "You don't need to know more than how to write JavaScript to use this."

Macrovision posted patches for its updater Wednesday, along with advice to both developers and end users. "If you are a FLEXNet Connect customer, we recommend you deploy this patch as soon as possible to your customer base," said the warning, which instructed companies licensing the updater to create and publish a hot fix on their own servers, then distribute it to their customers.

"Any developer who uses InstallShield that includes the option to update their software has given its users the ActiveX control," Zimmer said. "We don't have any numbers, but we believe the control is fairly widespread."

All versions of the FLEXNet Connect client prior to 6.0.100.65101 must be updated, Macrovision said.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments