The Intetc plugin for the NSIS installer fails to validate SSL certificates, which makes affected installers vulnerable to HTTPS spoofing.
Inetc is a plugin for the NSIS installer software that provides the ability to download files from the internet. Although Inetc supports the ability to download files using the HTTPS protocol, it does not validate SSL certificate chains.
An attacker can spoof content retrieved using HTTPS. Depending on what the installer does with content retrieved over HTTPS, the impact can be as severe as arbitrary code execution with elevated privileges.
Apply an update
This issue is resolved in Inetc builds starting September 6, 2015. This version no longer passes any SECURITY_FLAG_IGNORE_* flags to WinINet by default.
Only install software while connected to a trusted network
AVG Anti-virus Software
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
|Date First Published:||2015-03-20|
|Date Last Updated:||2015-09-08 15:54 UTC|