InstallSite Blog

A security problem in Windows has been reported which affects any EXEs downloaded from the internet and run from the download folder. Setup packages probably are especially in danger.

How the vulnerability works

When you start an EXE which loads additional DLLs, Windows starts looking for these DLLs in the same directory as the EXE first, and only if the DLL isn’t found there it continues searching in the System folder and other folders in the PATH environment.

When an EXE is downloaded with a web browser, it gets stored in the standard Downloads folder. If an attacker managed to place a DLL in that Downloads folder (e.g. using a drive by download) and the name of the DLL happens to match a DLL that the EXE loads, the malicious DLL is used instead of the system DLL. The malicious DLL may have been placed in the Downloads folder long before, sitting there waiting to be loaded by some downloaded EXE.

Since the attack injects the malicious code as a DLL, it doesn’t change the EXE’s binary. So the digital signature stays intact and everything looks legit to the user.

Setups could be preferred targets

In general, any EXE which is downloaded and executed could be attacked in this way, including self extracting zip files and the like. But the attacker needs to know the name of a DLL that the EXE wants to load. Setups often load a set of standard DLLs, which makes predicting the DLL name easier. And setups typically request administrative privileges, giving the malicious DLL even more power.

Pure MSI files are not affected

The vulnerability only affacts EXEs. If your setup comes as a MSI file without setup.exe, you should be safe.

Workarounds and Fixes

Microsoft Security Bulletin MS16-007 includes some security updates related to “DLL Loading”. It’s unclear to me whether these address this vulnerability.

[UPDATE Jan 22nd: According to Rob Mensching of FireGiant, MS16-007 does not address this vulnerability.]

FireGiant, the company supporting the WiX Toolset, reported this vulnerability to Microsoft. In their blog they posted technical details about the vulnerability and possible mitigations. An update for WiX 3.10 has also been released. Other manufacturers of setup auhtoring tools will probably follow.

[UPDATE Jan 22nd: Advanced Installer posted about this problem already on January 7th (sorry I forgot to mention that). Like FireGiant, they recommend naming your installer something other than setup.exe. They also announced that the next version will include mitigations to reduce the risk of this vulnerability.]

[UPDATE Jan 25th: Flexera Software has published a knowledge base article about Best Practices to Avoid Windows Setup Launcher Executable Issues and released a hotfix for InstallShield and AdminStudio.]

“AppX is now our deployment model. MSI isn’t going to go away, but we want you to move to AppX. We’re investing all of our efforts into making AppX the ultimate installer across the Windows ecosystem.”

The above is a quote from a session that took place during Microsoft’s Build 2015 event, here’s the recording:

Project Centennial, one way to help moving to AppX

To help with the transition to AppX, Microsoft is developing Project Centennial (“Project C”), a tool that uses kernel filter drivers to record an msi installer and convert it to an App-V like package. While Project C is not App-V, it uses the same techniques, and packages created with it will also work with App-V. So by converting your package you not only leverage the Windows Store to address end users but you can also offer system administrators a package which they can easily manage (only if they are using Microsoft’s App-V of course…).

An application packaged with Project C very much looks like any Universal app, it has an AppX manifest, it can have a live tile etc. But it still has all the traditional files (EXE, DLLs etc.), including runtime dependencies, redirected to private folders, and a virtual registry. In order to properly integrate with the rest of the system, Project C needs to detect content like COM registration and make it known to the “real” operating system.

Such virtualized apps will only run in User context, Project C is not intended for system applications. If your application needs to run an NT Service or do other stuff that requires elevated privileges, you would have to get rid of this. If your NT service only runs in the background to check for updates, then you’re lucky, because the Windows Store can automatically update your app. However, unlike real Universal apps, your application will not run in a sand box but with full trust, i.e. it can do anything the user has permission to.

Project C will work for Windows 10, so you still have to provide an msi for customers who are running Windows 7 (there was no mention of Windows 8 in the session so it’s unclear if this will be supported on Windows 8.x) and for corporate customers who are not using App-V. Note that you may need to configure the two packages differently, like including your update-checker only in the msi but not in the AppX package.

Watch the recording (hint: use the gear icon to manually switch video quality to high):

So what should you do?

My recommendations:

• Keep calm – Windows 10 isn’t available yet, MSI is going to be around for some while, and setup tool vendors might offer ways to create MSI and AppX packages from the same project, helping you to support both worlds (actually, some already can create MSI and App-V packages).
• Stay informed on this topic, and also talk to the app developers about their plans regarding moving to the Universal Windows Platform, as the app itself can also benefit from the new features. I think it makes sense to synchronize your timeline.
• Talk to the sales folks to see if and when they plan to bring your product to the Windows Store.

Yesterday Microsoft’s developer conference Build 2015 started and among the announcements in the keynote was the “Universal Windows Platform”. This not only includes bridges to re-use existing Android and iOS code for Windows 10 and to enable apps built from web sites, but also “real” integration of Win32 and .NET applications in the Windows Store.

The Windows Store was introduced with Windows 8 as a way to show, sell and install “Universal apps” (formerly called “modern apps”, formerly called “Metro apps”) in a way similar to the app stores on Android and iOS. This means that users can purchase via the integrated shop system and when clicking the “Install” button, a progress bar appears and then the app is installed. It’s a seamless flow, no setup program is visible etc.

While you could also publish classic Win32 applications in the Store, that was simply a listing with a link to your web site. It wasn’t possible to purchase or install those applications from the store.

Windows 10 however “will make it possible to package and publish your current .NET and Win32-based Windows applications to the Windows Store, providing a new way of distributing and monetizing your application on Windows PCs.”, according to the announcement in the Windows Dev Center.

In the keynote (starting at 1:48), Terry Myerson, Executive VP Operating Systems, announced that Win32 and .NET applications will be able to “take advantage of the all new Universal Windows Platform capabilities”. These applications will “come down from the Windows Store and they run in an isolated way from the rest of the system”. This functionality is based on Microsoft’s App-V technology.

So for setup developers I guess this means that going forward you will have to build two types of packages in order ship your applications: a traditional msi package for installation via Windows Installer for corporate deployment scenarios and for end users on Windows 8 and below, and an App-V package for the Windows Store on Windows 10.

Building a setup with InstallShield’s “Stand Alone Build” command line tool may fail with error -6003. The error message looks like this:

ISDEV : error -6003: An error occurred streaming ‘<path>\DiskImages\DISK1\<filename>.isc’ into setup.exe.

It only seems to affect setups that are being digitally signed.

The problem is caused by Windows Update KB3004394 which updates the way Windows checks for revoked root certificates.

According to Flexera Software support it only affects InstallShield version 2012 or older, which all are end of life and no longer supported. Therefore I don’t expect a fix from Flexera (although I don’t have any official information on this).

This leaves you with two potential workarounds: Uninstall the Windows Update, which will make your computer less secure, or don’t let InstallShield digitally sign your setup. Or take the chance and convince your boss to buy a new version of InstallShield.

This problem was reported and the workaround was posted in the InstallSite Forum – thanks guys for sharing your experience.

You can buy InstallShield in the InstallSite Shop at http://www.installsite.biz/installshield.

Several users are reporting that their InstallShield authoring tool stops working immediately after starting it. Apparently this is caused by an incompatibilty with Microsoft update MS14-037 “Security update for Internet Explorer versions 6, 7, 8, 9, 10, and 11” (KB2962872) which was distributed on this week’s Patch Turesday. Flexera is aware of the problem. A possible workaround is to uninstall the Windows patch, however this puts your system in an insecure, vulnerable state.

To get the latest information about workarounds and to get notified when a fix is available, please subscribe to this thread in the Flexera Community forum and/or contact Flexera support: https://community.flexerasoftware.com/showthread.php?217569-InstallShield-Crashes-and-Microsoft-KB-2962872

Flexera Software released a new version of their installation authoring tool, InstallShield 2014.

This PDF document summarizes the new features: http://media.flexerasoftware.com/documents/Datasheet-IS2014-Compare-Versions.pdf . For more details see the release notes for InstallShield 2014 Premier and Professional, or in a separate document for Express.

Notice for owners of InstallShield 2012*: Update pricing from this version ends on 31st July 2014, so now would be a good time to update to version 2014. There’s even a 5% discount if you update before end of June. (*does not apply to version “2012 Spring”)

InstallShield 2014 is available in the InstallSite Shop at http://www.installsite.biz/installshield.htm

On July 16, 2013, Flexera Software released AdminStudio 2013. New and enhanced features in this version include:

• Enhanced support for Microsoft App-V, including App V 5.0 and direct editing of App-V Packages
• Support for Symantec Workspace Virtualization
• Virtual Desktop Assessment Limited Edition
• App Portal Limited Edition
• New Platform API Commands
• Managing Apple iOS and Windows Store apps with support for Microsoft System Center 2012 Configuration Manager SP1

For more information see:

• Webinar: What’s New in AdminStudio Suite 2013
• AdminStudio Features comparison

End of Version Update Pricing

As of October 1, 2013, version updates will only be available for customers with an active maintenance plan. If your maintenance plan has expired, you can update to the current version only until September 30. After that date you have to pay the full license price.

You can buy AdminStudio 2013 in the InstallSite shop at http://www.installsite.biz/adminstudio.htm

Flexera Software released a new version of their setup authoring tool, InstallShield 2013.

Improvements in the new version include:

• Ability to create pure 64 bit msi setups. All customs actions that are included with InstallShield are now available in 64 bit (not included in Express edition).
• Windows 8 improvements like Start screen icon pinning options and best practices validation (validation not included in Express).
• Ability to create Microsoft App-V packages in the Premier edition. In other words: the Virtualization Pack which used to be an add-on purchase is now included in Premier at no extra charge. This also means that the Virtualization Pack for the Professional Edition is no longer available.
• Virtualization suitability testing is also included in Premier and supports VMware ThinApp and Citrix XenApp in addition to App-V.
• Installing Windows Roles and Features and running PowerShell scripts in the Suite/AdvancedUI project type (only in Premier).

For additional details see the Release Notes for InstallShield 2013 Professional and Premier and InstallShield 2013 Express. Note that the Premier edition no longer includes a Repackager. For repackaging tasks Flexera Software recommends their AdminStudio product (which also includes InstallShield as editor).

Flexera Software also removed support for some outdated technologies and versions from InstallShield 2013. This means that Windows Installer 2.0 and 3.0, ClickOnce, Visual Basic and several others are no longer available or supported. For a complete list see knowledge base article Q212461.

InstallShield 2013 is available in Premier, Professional and Express editions. The Limited Edition which comes with Visual Studio has not yet been updated.

There will be a webinar introducing what’s new in InstallShield 2013 on 18th June. Details can be found on the registration page.

InstallShield 2011 End of Life Announcement

Flexera Software also announced the End of Life for InstallShield 2011. Owners of this version can only update to InstallShield 2013 until end of June.

You can buy InstallShield 2013 in the InstallSite shop at http://www.installsite.biz/installshield.htm

Here’s a quick summary what’s new in the MSI engine that comes with Windows 8.

What’s new in MSI 5 on Windows 8

According to the documentation:

• nothing

My own findings so far:

• Windows Installer runtime version – as indicated by the file version of msi.dll – is 5.0.9200.16384
• VersionNT = 602 (so similar to Windows 7 Microsoft didn’t increment the major version for application compatibility reasons)
• WindowsBuild = 9200

According to Darwin Sanoy, Windows Installer also processes Appx Packages when installing Windows Store Apps.

On September 10th, 2012 Caphyon Ltd. announced the release of Advanced Installer 9.5 in Freeware, Professional, For Java, Enterprise and Architect editions. The 9.5 release includes many enhancements (see the release notes), but what really caught my eye is a new group of dialog themes that use the “Windows Store App” style:

The theme is also available in red and white/green. By the way: these screenshots were taken on Windows 7, so Windows 8 is not a requirement for this dialog style.

These themes also reduce the number of dialogs a user has to click through, by omitting the Welcome dialog and combining the destination folder selection and the checkbox to agree to the license agreement on the same dialog with a big “Install” button. However, if you actually want to read the license agreement before you agree (but no-one does that, right?), you have to click a link. -You may want to check with your legal department if that’s sufficient.- The link will open an additional dialog with the license agreement and an “Accept & Install” button, so you don’t have to return to the previous dialog to start the installation process.

P.S. If you want to try the new themes, don’t look for “Metro”, they’re filed under “Surface”.

Advanced Installer is available via the InstallSite Shop at http://www.installsite.biz/advancedinstaller.htm