mailing list archives
InstallShield Update Agent - Downloads and executes "Rule Scripts" insecurely.
From: "Brian Dowling" <bjd () simplicity net>
Date: Tue, 16 Sep 2008 12:01:07 -0400
-----BEGIN PGP SIGNED MESSAGE-----
InstallShield Update Agent - Remote "Rule Script" Code Execution
InstallShield Update Agent uses insecure methods of retrieving operational
script code from unauthenticated, unverified external sources over HTTP.
Arbitrary remote code execution is possible on all known product versions.
InstallShield Update Agent connects to and communicates with centralized
Acresso (formerly Macrovision) FLEXnet Connect servers for updates and other
product information on a periodic basis. From the vendor's site:
FLEXnet Connect lets you electronically deliver applications, patches,
updates, and messages directly to your users' systems.
When connecting with this service, the client agent reports its product
current version information and finds out what updates for relevant
software are available. The client can also receive special instructions
(Rules) to help it evaluate if an update is relevant. These rules are in
form of an active scripting language, such as VBScript. Unfortunately,
rules are delivered insecurely, over HTTP, both unencrypted and unsigned as
they are blissfully executed by the client.
Exploitation by injecting code into these rules can result in completely
arbitrary execution on the client side, and could thusly perform any action
such as installing or downloading additional malicious code and instructions
from an arbitrary source. This execution could potentially happen
transparently and go unnoticed by users.
Such exploitation could take place by a number of mechanisms. For example:
a) Compromising the FLEXnet Connect servers directly.
b) Filtering client system traffic through malicious proxy.
d) Utilizing DNS insecurities to cause any of the above.
e) Also, by directing clients to malicious website, ActiveX objects can
used to trigger the exploit on the attacker's schedule, (but MiTM
mechanisms may still be needed to support this).
(Note this list is by no means exhaustive.)
Due to the purpose of these products, it has been observed that systems will
check for updates unattended and thus could be compromised without any
intervention needed on the client side. Systems often check for these
on reboot (autorun) and on configurable periodic basis. Note that updates
NOT need to be installed to provoke this issue. This flaw takes effect when
the system is evaluating if updates are relevant.
It has also been observed that the recent versions of the InstallShield will
contact the server, download and execute this "Rule information" even if you
have disabled all automatic updates for your installed products. Presumably
this is part of the "compulsory updates" feature of the product. This
obviously is cause for additional concern.
Some vendor products may also include methods that call the update
internally. This may happen at program startup or through the "Check for
Updates" link often provided in the Help menu of such applications.
Note also, that in addition to the above flaw. There also appear to be
in the implementation and use of these services. It has also been noted
vendors largely appear to ignore the apparent signature capabilities of the
product to provide cryptographic signatures for the actual executable update
files that are downloaded and executed -- largely over HTTP. This implies
additional paths of code execution using the MiTM techniques mentioned.
paths have not been explored in depth, but appear to exist due to the lack
signature information in updates. The update information itself is not
signed, so it is not clear what trust chains are used to verify this
information if it was provided. This problem of course is not isolated to
this product, but many online update mechanisms in general.
Any client system using products that have update mechanisms built on the
InstallShield/FLEXnet Connect product line are vulnerable. This includes
Microsoft Windows systems that often ship with software pre-installed by the
OEM. For example, some popular CD burning software appears to use the IS
update services pointed at their own servers and is a very widely-deployed
Any vendor or provider hosting the FLEXNet update services should also be
concerned of this issue. As a result of this flaw, the security of their
servers is critical as it could impact the of all client systems, and thus
represents a liability to any customers dependant on their services.
Due to the broad reach of these products, there are many software vendors
must be informed of this issue and provide some form of remediation to
their installed customer base from these issues. Unfortunately it was
impossible to know everyone who uses this product at the time of this
It is assumed that the vendor has/will taken the actions they deem
to notify its customer base.
No vendor provided solution is known at this time. The vendor largely
discounts the issue, implying that it may be difficult to exploit and that
following best practices to secure the server systems would prevent this
being exploited. They have provided a brief document
to this effect, unfortunately they also tagged it as confidential and I
release it. The vendor said they will release it when this information is
With the addition of the Kaminsky attack, this is just another reason why
must be sure your DNS is update to date, and be proactive as new protection
mechanisms come out for DNS.
Unfortunately, there is no good workaround to prevent this issue while still
allowing critical updates for other products dependant on this platform for
Enterprises that have proxy capabilities could disable access to the
GetRules.asp URLs that are used to download the script instructions, however
this may have consequences to programs that depend on the rules for
determining patch applicability.
The only way to be comfortable that you fully prevent the risk of this issue
for users that are concerned with the security of their systems is to
this automatic update program for the time being. For InstallShield, this
includes removing any Autorun entries for ISSCH.EXE, ISUSPM.EXE, and
setting the Kill bit for any related ActiveX controls (isusweb.dll), that
remain enabled (See references for one patch related to this -- it is not
clear to me they covered all GUIDs with these patches). Some users may wish
to rename the "\Program Files\Common Files\InstallShield\UpdateService" or
related UpdateManager folders of other products to prevent automated
of these programs until a fix is provided.
Unfortunately this workaround is clearly a catch-22 as other critical
to products that depend on these services may now be overlooked as well.
this information at your own risk. Absolutely no warrantees expressed or
This issue has been assingned CVE-2008-1093
Also published at
These prior issues are related, but are distinct from this bulletin.
This issue was discovered and disclosed following responsible disclosure
procedures by Brian Dowling of Simplicity Communications.
This time-line is mostly here to keep track of work and progress on this
issue. However it does highlight one important thing. Vendors need to
provide valid, secure, contact information that can get security issues
reported to the proper individuals within their organization. This contact
information should be clearly published on their public facing web sites.
12/05/2007 - Initial Discovery
12/12/2007 - Contacted Cert Coordination Center to attempt to obtain
appropriate vendor contact information.
12/17/2007 - Additional work on details, proof of concept
interim - No response from Macrovision either directly or through Cert
kept in constant contact with me).
01/02/2008 - Posted to product request site for security contact
01/08/2008 - Automated sales response, asking how "Product Evaluation" is
01/18/2008 - In contact with sales representative @ Macrovision
02/05/2008 - Attempted to contact Product Technical Support
02/06/2008 - Technical Support call back - forwarded me back to
"Product Coordinator" (local Sales Contact).
02/07/2008 - Contacted by Director of Product Management for Macrovision
02/08/2008 - Sent vendor vulnerability details
02/21/2008 - Resent information, vendor was unable to decrypt
03/03/2008 - Vendor responds "We are reviewing the materials and will
a public response shortly."
03/10/2008 - Inquired if they have been able to reproduce. Similar response
to above, "..public response in the coming days"
03/21/2008 - Inquired, was told they were crafting a public response.
04/01/2008 - Product vendor splits off software business, InstallShield now
owned by Acresso Software.
04/24/2008 - Vendor provided "Acresso's official response" which they do not
appear to have yet published publicly, and I feel I cannot due
the following legal tagging:
"This document contains proprietary trade secrets of Acresso
Software Inc. Receipt or possession does not convey any right to
reproduce, disclose its content, or to manufacture, use, or sell
anything that it may describe. Reproduction, disclosure or use
without specific authorization of Acresso Software is strictly
07/01/2008 - Given the lack of further vendor response and the duration that
had known about this vulnerability, I was starting to prepare
07/08/2008 - Critical Kaminsky DNS Vulnerability came to light, re-ignited
concern over release of this information.
09/03/2008 - Contacted vendor again, requesting URL for their public
informed them of my intent to publicly disclose.
09/05/2008 - I was told that vendor will publish their response when my
findings are published.
09/16/2008 - Public disclosure.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- InstallShield Update Agent - Downloads and executes "Rule Scripts" insecurely. Brian Dowling (Sep 16)