Macrovision has patched a critical bug in the update service software it licenses to third-party developers as a researcher warned users to expect attacks.
FLEXNet, an update add-on that Macrovision sells as an option to developers who use the company's InstallShield installer, includes an ActiveX control that sports a major design flaw, said Dave Zimmer, a security engineer at VeriSign's iDefense Labs. To exploit the bug, all hackers need to do is draw users who have the ActiveX control to a malicious site; the actual attack would be unnoticed.
"No complex skills are needed to use this one," said Zimmer.
The bug isn't in the control's code, he said, but is a design flaw. "When we talked to Macrovision, they said they never intended to mark it safe for scripting," Zimmer said. "It was clearly an oversight on their part."
Macrovision posted patches for its updater along with advice to both developers and end users. "If you are a FLEXNet Connect customer, we recommend you deploy this patch as soon as possible to your customer base," said the warning, which instructed companies licensing the updater to create and publish a hot fix on their own servers, then distribute it to their customers.
"Any developer who uses InstallShield that includes the option to update their software has given its users the ActiveX control," Zimmer said. "We don't have any numbers, but we believe the control is fairly widespread."
All versions of the FLEXNet Connect client prior to 220.127.116.11101 must be updated, Macrovision said.