Regarding the a critical DLL preloading vulnerability just posted

Got a problem you cannot solve? Try here.
BartWilson
Posts: 30
Joined: Mon Mar 01, 2021 9:01 am

Regarding the a critical DLL preloading vulnerability just posted

Postby BartWilson » Mon Aug 01, 2022 11:16 am

Is there a bit more information regarding what the impact of the vulnerability is here? I'm asking as upgrading is not trivial given that installing a new version of InstallAware removes the old version and thus breaks all past release of our project. Plus we have to test the installers to make sure they work as expected along with the application runtimes that we build and provide to customers. As a build engineer maintaining backwards compatibly is required and thus having a situation where I cannot build an older product easily make this move difficult.

Thus I would hope to understand what our risks are to the installers and our customer base.

vesigo
Posts: 10
Joined: Mon Dec 21, 2015 2:58 pm

Re: Regarding the a critical DLL preloading vulnerability just posted

Postby vesigo » Mon Aug 01, 2022 7:48 pm

I would also like to know more details about the impact of this vulnerability on our customers. InstallAware gave very little information on the specific cases where this vulnerability could be exploited.

pfennig
Posts: 168
Joined: Wed Nov 08, 2006 8:39 am

Re: Regarding the a critical DLL preloading vulnerability just posted

Postby pfennig » Tue Aug 02, 2022 2:12 am

vesigo wrote:InstallAware gave very little information on the specific cases where this vulnerability could be exploited.

Is there any, except for that email titled "Critical InstallAware Vulnerability Mitigation"? I'm asking, because in there there's no information at all about possible exploits.
If it is so dangerous I'd expect a fix for older versions too, instead of demanding to upgrade for a lot of money.
We're on a maintenance plan, so it doesn't affect us that much, but I find this behaviour of InstallAware as a company a bit questionable, to say the least.
Best regards
pfennig

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: Regarding the a critical DLL preloading vulnerability just posted

Postby FrancescoT » Tue Aug 02, 2022 9:19 am

This critical update fixes an issue that's not specific to InstallAware. Any Window application may be affected by the problem.

At any rate, the details of the issue which has been currently fixed can be found in the below link;
https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1

Hope this helps you.
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

pfennig
Posts: 168
Joined: Wed Nov 08, 2006 8:39 am

Re: Regarding the a critical DLL preloading vulnerability just posted

Postby pfennig » Tue Aug 02, 2022 9:35 am

Yes, it's very enlightening to see that this issue has been known for about 11 years. It should have gotten fixed shortly after that.
Last edited by pfennig on Tue Aug 02, 2022 11:47 pm, edited 1 time in total.
Best regards

pfennig

FrancescoT
Site Admin
Posts: 5360
Joined: Sun Aug 22, 2010 4:28 am

Re: Regarding the a critical DLL preloading vulnerability just posted

Postby FrancescoT » Tue Aug 02, 2022 12:39 pm

Yes, it's an 11 years old OS bug. Which should have been fixed by the OS vendor...but it didn't.
Francesco Toscano
InstallAware Software

White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE

pfennig
Posts: 168
Joined: Wed Nov 08, 2006 8:39 am

Re: Regarding the a critical DLL preloading vulnerability just posted

Postby pfennig » Tue Aug 02, 2022 11:46 pm

Sure, but with the publishing of the existence of this bug the OS vendor also provided a solution for application developers how to eliminate the vulnerability. So, InstallAware could have done their part a long time ago.
That's why I think they should provide an update for older versions as well.
Best regards

pfennig

RKossow
Posts: 9
Joined: Thu Nov 25, 2010 4:39 am

Re: Regarding the a critical DLL preloading vulnerability just posted

Postby RKossow » Wed Aug 03, 2022 4:13 am

Thanks for providing the details here. I am relaxed now, as I do not see any attack vector in cases where I was anxious about. I of course will use th enew version from now on.

PTaylor
Posts: 1
Joined: Tue Aug 16, 2022 7:09 am

Re: Regarding the a critical DLL preloading vulnerability just posted

Postby PTaylor » Tue Aug 16, 2022 7:19 am

For a product that cannot be upgraded and needs to be removed, what is InstallAware's recommended course of action?
I'm concerned that running an uninstall of a product that has been packaged with a version of InstallAware older than 32.10 could trigger the vulnerability.


Return to “Technical Support”

Who is online

Users browsing this forum: Google [Bot] and 51 guests