Acresso Software Affected

Notified:  September 18, 2008 Updated: September 30, 2008

Status

Affected

Vendor Statement

The vulnerability that you refer to has been corrected in more recent versions of the product.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the ability to verify certificates that are provided by the FLEXnet Connect server. A FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP header to outgoing messages. This signature is designed to prevent the server response from being successfully modified by an attacker. The signature checking is also designed to ensure that the FLEXnet Connect client is connecting to an authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure the identity of a web site. Note that the originally-released version of the FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, did not completely address this vulnerability. Note that the FLEXnet Connect 11.0.1 SDK does not enable secure communications by default, but the updates.installshield.com FLEXnet Connect server is currently distributing an update that enables this feature. This means that if a system's DNS has been hijacked or if the communications with the FLEXnet Connect update server are modified before this update can be retrieved, an attacker may be able to execute arbitrary code on the client system. Because the fixed version of the FLEXnet Connect runtime is relatively new (it was digitally signed on September 26, 2008), it is likely to take some time before software that is packaged with FLEXnet Connect will receive the update and also configure FLEXnet Connect to verify signatures.

Adobe Not Affected

Notified:  September 15, 2008 Updated: September 19, 2008

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Cisco Systems, Inc. Not Affected

Notified:  September 15, 2008 Updated: November 05, 2008

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Corel Corporation Affected

Updated:  September 16, 2008

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Our testing has shown that Corel Paint Shop Pro X is vulnerable. Other applications may also provide the vulnerable components.

F-Secure Corporation Not Affected

Notified:  September 15, 2008 Updated: September 19, 2008

Status

Not Affected

Vendor Statement

F-Secure do not provide any software that includes the vulnerable components described in the VU#837092 case.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Affected

Updated:  September 17, 2008

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

Our testing has shown that IBM Rational AppScan is vulnerable. Other applications may also provide the vulnerable components.

InstallShield Affected

Updated:  September 30, 2008

Status

Affected

Vendor Statement

The vulnerability that you refer to has been corrected in more recent versions of the product.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the ability to verify certificates that are provided by the FLEXnet Connect server. A FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP header to outgoing messages. This signature is designed to prevent the server response from being successfully modified by an attacker. The signature checking is also designed to ensure that the FLEXnet Connect client is connecting to an authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure the identity of a web site. Note that the originally-released version of the FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, did not completely address this vulnerability. Note that the FLEXnet Connect 11.0.1 SDK does not enable secure communications by default, but the updates.installshield.com FLEXnet Connect server is currently distributing an update that enables this feature. This means that if a system's DNS has been hijacked or if the communications with the FLEXnet Connect update server are modified before this update can be retrieved, an attacker may be able to execute arbitrary code on the client system. Because the fixed version of the FLEXnet Connect runtime is relatively new (it was digitally signed on September 26, 2008), it is likely to take some time before software that is packaged with FLEXnet Connect will receive the update and also configure FLEXnet Connect to verify signatures.

Intel Corporation Not Affected

Notified:  September 15, 2008 Updated: September 19, 2008

Status

Not Affected

Vendor Statement

InstallShield Update Agent is not in use at Intel.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Macrovision Affected

Notified:  September 15, 2008 Updated: September 30, 2008

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed with the FLEXnet Connect 11.0.1 client, which comes with agent.exe version 11.1.100.17104. This version of FLEXnet Connect includes the ability to verify certificates that are provided by the FLEXnet Connect server. A FLEXnet Connect server that uses signed communication will add an X-FNC-Sig HTTP header to outgoing messages. This signature is designed to prevent the server response from being successfully modified by an attacker. The signature checking is also designed to ensure that the FLEXnet Connect client is connecting to an authentic FLEXnet Connect server, much in the same way that HTTPS helps to ensure the identity of a web site. Note that the originally-released version of the FLEXnet Connect 11.0.1 client, which came with agent.exe version 11.1.100.16604, did not completely address this vulnerability. Note that the FLEXnet Connect 11.0.1 SDK does not enable secure communications by default, but the updates.installshield.com FLEXnet Connect server is currently distributing an update that enables this feature. This means that if a system's DNS has been hijacked or if the communications with the FLEXnet Connect update server are modified before this update can be retrieved, an attacker may be able to execute arbitrary code on the client system. Because the fixed version of the FLEXnet Connect runtime is relatively new (it was digitally signed on September 26, 2008), it is likely to take some time before software that is packaged with FLEXnet Connect will receive the update and also configure FLEXnet Connect to verify signatures.

Microsoft Corporation Not Affected

Notified:  September 15, 2008 Updated: September 24, 2008

Status

Not Affected

Vendor Statement

It appears that we are not affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Roxio Affected

Updated:  November 27, 2008

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

http://kb.roxio.com/content/kb/General%20Information/000072GN

Addendum

Our testing has shown that Roxio DigitalMedia Archive is vulnerable. Other applications may also provide the vulnerable components.

View all 11 vendors View less vendors