Macrovision InstallShield InstallScript One-Click Install (OCI) is "a web based installer technology that allows software publishers to distribute minimal installer packages which allow end users to select components to install. Upon first visiting such a website, the user is prompted to install the ActiveX control". Remote exploitation of an untrusted library loading vulnerability in Macrovision's InstallShield InstallScript One-Click Install ActiveX control allows remote attackers to execute code with the privileges of the currently logged in user.
* Macrovision InstallShield InstallScript One-Click Install ActiveX Control version 12.0
* Macrovision InstallShield InstallScript One-Click Install ActiveX Control version 12.0 with SP2
InstallShield InstallScript "One-Click Install" is implemented in an ActiveX control with the following properties:
File: %WINDIR%\Downloaded Program Files\setup.exe
This control is marked "safe for scripting".
When a user visits a website from which a web install can be performed, the ActiveX control downloads and loads several DLL files from the remote website. Since no sanity checks are performed on the DLL files, an attacker can substitute specially crafted libraries that will execute arbitrary code when loaded.
Exploitation allows attackers to execute arbitrary code with the privileges of the currently logged-in user. In order for exploitation to occur, users would be required to have a vulnerable version of the ActiveX control installed and be lured to a malicious site.
Administrators can set the kill-bit for the vulnerable ActiveX control with the following .reg file. This will prevent the control from loading within Internet Explorer.