I have recently installed Secunia to check if all programs are up-to-date. All programs are up-to-date, save one: Flexnet Publisher 11.x. From a bit of research, I understand that Flexnet is a part of Macrovision and is used by it for managing licensing.
So, I click on Secunia’s “Install Solution” and it brings up a link in my browser to w w w .globes. c o m, which is Flexnet’s download site.
I download the Flexnet update and when I try to install it, Avast says it’s possibly dangerous and to only run in sandbox.
Has anyone else ever updated Flexnet using the w w w .globes. c o m website? Is it safe? Do I really need to update Flexnet? Should I bypass Avast’s recommendation and assume its safe?
Any advice or past experiences with this would be greatly appreciated.
Also, is Secunia always right? Should I trust that the “Install Solution” sites that it links to for updating are safe?
What is the full URL that you are getting it on (a screenshot of the alert window would help) change the http to hXXp in the URL to break the link to suspect sites.
Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Unpatched
Software: FlexNet Publisher 11.x
Description:
A vulnerability has been reported in FlexNet Publisher, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to unspecified errors within the License Server Managers and vendor daemons related to saving and loading log files. This can be exploited to upload malicious files to an arbitrary location via directory traversal sequences.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 11.10. Other versions may also be affected.
Solution:
Restrict access to the affected service to trusted hosts only.
Provided and/or discovered by:
Luigi Auriemma via ZDI.
Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Unpatched
Software: FlexNet Publisher 11.x
Description:
A vulnerability has been reported in FlexNet Publisher, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to unspecified errors within the License Server Managers and vendor daemons related to saving and loading log files. This can be exploited to upload malicious files to an arbitrary location via directory traversal sequences.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in version 11.10. Other versions may also be affected.
Solution:
Restrict access to the affected service to trusted hosts only.
Provided and/or discovered by:
Luigi Auriemma via ZDI.
OK, that is a lot of help, for me and hopefully for you too.
The autosandbox process is controlled in the first instance by the file system shield (FSS), the suspect.exe file is scanned before it is allowed to run. If it were infected, it could/should be detected by the FSS, so one reasonable thing in its favour is it hasn’t had a definitive detection.
However, the FSS checks other things amongst those a) is the file digitally signed, b) its location and what it does (this is done in the emulation check). these can trigger a suspicion and it is this suspicion that results in the recommendation to use the autosandbox.
Now the user can accept this decision and run it in the autosandbox or have it run normally and to Remember the answer for this program. Provided of course you are familiar with the program and that it is clean and of course that you intentionally initiated the program.
Whilst there might be a flexnet security issue, it is probably unlikely that this file is infected, though you could analyse it at virustotal.com.
####
Check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here, post the URL in the Address bar of the VT results page. You may need to create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
Thanks for that very helpful response. Ok. I tried to run a virustotal scan of the file Secunia suggested I download to repair the Flexnet issue (filename: lmadmin-i86_n3-11_10_0_2.exe) but virustotal won’t scan it because its too big. It’s 71.9MB and virustotal has a maximium file size of 20MB. :-\
I’ve run a virustotal scan of the url Secunia provided. 9 out of 11 report the url is clean, one says “error” and the other says “unrated site”. So it seems the link Secunia sent me to is clean, at least. I just can’t scan the file I downloaded from that link (b/c of size).
Without a virustotal scan, am I forced to make an independent do I trust the file or not decision?
Well I don’t believe that the secunia scan is that detailed, we see lots of cases were they say a site is clean, yet we confirm a web shield detection on the said site is good. The web shield really is a great tool with a high rate of accuracy.
As has been said it is more of a suspicion, than an actual detection. So should you choose to run it normally, the avast File System Shield would still be scanning files created during this installation.
Thanks again David. I’m still trying to decide what to do. I found a thread dedicated to this very issue over on the Secunia forums and it seems lots of people are just as confused about Secunia’s proposed fix for various reasons. :-\
I will do some more research before making a decision.