InstallAware

Is there a bit more information regarding what the impact of the vulnerability is here? I'm asking as upgrading is not trivial given that installing a new version of InstallAware removes the old version and thus breaks all past release of our project. Plus we have to test the installers to make sure they work as expected along with the application runtimes that we build and provide to customers. As a build engineer maintaining backwards compatibly is required and thus having a situation where I cannot build an older product easily make this move difficult.

Thus I would hope to understand what our risks are to the installers and our customer base.

I would also like to know more details about the impact of this vulnerability on our customers. InstallAware gave very little information on the specific cases where this vulnerability could be exploited.

vesigo wrote:InstallAware gave very little information on the specific cases where this vulnerability could be exploited.

Is there any, except for that email titled "Critical InstallAware Vulnerability Mitigation"? I'm asking, because in there there's no information at all about possible exploits.
If it is so dangerous I'd expect a fix for older versions too, instead of demanding to upgrade for a lot of money.
We're on a maintenance plan, so it doesn't affect us that much, but I find this behaviour of InstallAware as a company a bit questionable, to say the least.

This critical update fixes an issue that's not specific to InstallAware. Any Window application may be affected by the problem.

At any rate, the details of the issue which has been currently fixed can be found in the below link;
https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1

Hope this helps you.

Yes, it's very enlightening to see that this issue has been known for about 11 years. It should have gotten fixed shortly after that.

Yes, it's an 11 years old OS bug. Which should have been fixed by the OS vendor...but it didn't.

Sure, but with the publishing of the existence of this bug the OS vendor also provided a solution for application developers how to eliminate the vulnerability. So, InstallAware could have done their part a long time ago.
That's why I think they should provide an update for older versions as well.

Thanks for providing the details here. I am relaxed now, as I do not see any attack vector in cases where I was anxious about. I of course will use th enew version from now on.

For a product that cannot be upgraded and needs to be removed, what is InstallAware's recommended course of action?
I'm concerned that running an uninstall of a product that has been packaged with a version of InstallAware older than 32.10 could trigger the vulnerability.