#VU44374 Information disclosure in InstallShield - CVE-2007-6744

Cybersecurity Help s.r.o.

Published: 2012-01-19 | Updated: 2020-08-11

Vulnerability identifier: #VU44374

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2007-6744

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
InstallShield
Universal components / Libraries / Software for developers

Vendor: Macrovision Corporation

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Flexera Macrovision InstallShield before 2008 sends a digital-signature password to an unintended application during certain signature operations involving .spc and .pvk files, which might allow local users to obtain sensitive information via unspecified vectors, related to an incorrect interaction between InstallShield and Signcode.exe.

Mitigation
Install update from vendor's website.

Vulnerable software versions

InstallShield: 10.5 - 11.5

External links
https://kb.flexerasoftware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=Installation-InstallShield-InstallShield2008Premier-Public-ProductInfo-IS2008PremProReleaseNotes2pdf&sliceId=pdfPage_42

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Information disclosure in Macrovision InstallShield