Is there a bit more information regarding what the impact of the vulnerability is here? I'm asking as upgrading is not trivial given that installing a new version of InstallAware removes the old version and thus breaks all past release of our project. Plus we have to test the installers to make sure they work as expected along with the application runtimes that we build and provide to customers. As a build engineer maintaining backwards compatibly is required and thus having a situation where I cannot build an older product easily make this move difficult.
Thus I would hope to understand what our risks are to the installers and our customer base.
Regarding the a critical DLL preloading vulnerability just posted
-
- Posts: 31
- Joined: Mon Mar 01, 2021 9:01 am
Re: Regarding the a critical DLL preloading vulnerability just posted
I would also like to know more details about the impact of this vulnerability on our customers. InstallAware gave very little information on the specific cases where this vulnerability could be exploited.
Re: Regarding the a critical DLL preloading vulnerability just posted
vesigo wrote:InstallAware gave very little information on the specific cases where this vulnerability could be exploited.
Is there any, except for that email titled "Critical InstallAware Vulnerability Mitigation"? I'm asking, because in there there's no information at all about possible exploits.
If it is so dangerous I'd expect a fix for older versions too, instead of demanding to upgrade for a lot of money.
We're on a maintenance plan, so it doesn't affect us that much, but I find this behaviour of InstallAware as a company a bit questionable, to say the least.
Best regards
pfennig
pfennig
-
- Site Admin
- Posts: 5361
- Joined: Sun Aug 22, 2010 4:28 am
Re: Regarding the a critical DLL preloading vulnerability just posted
This critical update fixes an issue that's not specific to InstallAware. Any Window application may be affected by the problem.
At any rate, the details of the issue which has been currently fixed can be found in the below link;
https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1
Hope this helps you.
At any rate, the details of the issue which has been currently fixed can be found in the below link;
https://support.microsoft.com/en-us/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1
Hope this helps you.
Francesco Toscano
InstallAware Software
White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE
InstallAware Software
White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE
Re: Regarding the a critical DLL preloading vulnerability just posted
Yes, it's very enlightening to see that this issue has been known for about 11 years. It should have gotten fixed shortly after that.
Last edited by pfennig on Tue Aug 02, 2022 11:47 pm, edited 1 time in total.
Best regards
pfennig
pfennig
-
- Site Admin
- Posts: 5361
- Joined: Sun Aug 22, 2010 4:28 am
Re: Regarding the a critical DLL preloading vulnerability just posted
Yes, it's an 11 years old OS bug. Which should have been fixed by the OS vendor...but it didn't.
Francesco Toscano
InstallAware Software
White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE
InstallAware Software
White Papers (HowTos) - http://www.installaware.com/publication ... papers.htm
Publications - http://www.installaware.com/publications-review.htm
InstallAware Help -F1 anywhere in the InstallAware IDE
Re: Regarding the a critical DLL preloading vulnerability just posted
Sure, but with the publishing of the existence of this bug the OS vendor also provided a solution for application developers how to eliminate the vulnerability. So, InstallAware could have done their part a long time ago.
That's why I think they should provide an update for older versions as well.
That's why I think they should provide an update for older versions as well.
Best regards
pfennig
pfennig
Re: Regarding the a critical DLL preloading vulnerability just posted
Thanks for providing the details here. I am relaxed now, as I do not see any attack vector in cases where I was anxious about. I of course will use th enew version from now on.
Re: Regarding the a critical DLL preloading vulnerability just posted
For a product that cannot be upgraded and needs to be removed, what is InstallAware's recommended course of action?
I'm concerned that running an uninstall of a product that has been packaged with a version of InstallAware older than 32.10 could trigger the vulnerability.
I'm concerned that running an uninstall of a product that has been packaged with a version of InstallAware older than 32.10 could trigger the vulnerability.
Who is online
Users browsing this forum: No registered users and 29 guests