1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. HTTP Macrovision ActiveX File Overwrite

HTTP Macrovision ActiveX File Overwrite

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects attempt to a arbitrary file-download vulnerability by passing malicious arguments into a method of Macrovision FLEXnet Connect ActiveX control.

Additional Information

Macrovision FLEXnet Connect allows users to deliver applications, patches, updates, and messages to computers.

Macrovision FLEXnet Connect ActiveX controls are prone to multiple file-access vulnerabilities:

- An arbitrary-file-download vulnerability affects the 'MVSNClientDownloadManager61Lib.DownloadManager' ActiveX control that can be identified by CLSID: FCED4482-7CCB-4E6F-86C9-DCB22B52843C. Specifically, the issue occurs when executing a scheduled job. The ActiveX control allows attackers to specify arbitrary filenames to jobs using the 'AddFile()' method. When the application calls the 'RunScheduledJobs()' method, the attacker-specified file is downloaded onto the affected computer.

- An arbitrary-file-download vulnerability affects the 'isusweb.dll' ActiveX control that can be identified by CLSID: 1DF951B1-8D40-4894-A04C-66AD824A0EEF. The vulnerability occurs because the ActiveX control handles file downloads in an insecure manner, allowing attackers to download and execute arbitrary files. The 'DownloadAndExecute()' method of the control is affected.

An attacker can exploit these issues by enticing an unsuspecting victim to view a malicious webpage. The victim may be required to further interact with the application to trigger one of these issues.

Successful exploits will allow remote attackers to download files from arbitrary locations to the affected computer.

Affected

  • Macrovision FLEXnet Connect
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube