Vulnerability Note VU#894897
NSIS Inetc plug-in fails to validate SSL certificates
The Intetc plugin for the NSIS installer fails to validate SSL certificates, which makes affected installers vulnerable to HTTPS spoofing.
Inetc is a plugin for the NSIS installer software that provides the ability to download files from the internet. Although Inetc supports the ability to download files using the HTTPS protocol, it does not validate SSL certificate chains.
An attacker can spoof content retrieved using HTTPS. Depending on what the installer does with content retrieved over HTTPS, the impact can be as severe as arbitrary code execution with elevated privileges.
Apply an update
This issue is resolved in Inetc builds starting September 6, 2015. This version no longer passes any SECURITY_FLAG_IGNORE_* flags to WinINet by default.
Only install software while connected to a trusted network
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|CERT/CC||Affected||-||20 Mar 2015|
|Dropbox||Affected||03 Mar 2015||20 Mar 2015|
|Nullsoft||Affected||31 Jan 2011||25 Feb 2015|
|AVG Anti-virus Software||Not Affected||25 Feb 2015||26 Feb 2015|
|Unify Inc||Not Affected||25 Feb 2015||23 Mar 2015|
|7-Zip.org||Unknown||25 Feb 2015||25 Feb 2015|
|Adobe||Unknown||25 Feb 2015||25 Feb 2015|
|Amazon||Unknown||25 Feb 2015||25 Feb 2015|
|AMD||Unknown||25 Feb 2015||25 Feb 2015|
|Debian GNU/Linux||Unknown||25 Feb 2015||25 Feb 2015|
|DivX, Inc.||Unknown||25 Feb 2015||25 Feb 2015|
|Ericsson||Unknown||25 Feb 2015||25 Feb 2015|
|FreeRADIUS||Unknown||25 Feb 2015||25 Feb 2015|
|Unknown||25 Feb 2015||25 Feb 2015|
|Intel Corporation||Unknown||25 Feb 2015||25 Feb 2015|
CVSS Metrics (Learn More)
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
- CVE IDs: CVE-2015-0941
- Date Public: 31 Jan 2011
- Date First Published: 20 Mar 2015
- Date Last Updated: 08 Sep 2015
- Document Revision: 26
If you have feedback, comments, or additional information about this vulnerability, please send us email.