A vulnerability in all Windows OSes allows a malicious DLL to hijack your EXE installer upon launch. While the EXE shows your legitimate digital signature the attacker DLL will be able to run in the background.
MSI packages are not affected by this vulnerability, only EXE installers.
Advanced Installer 12.7 contains a security release for this problem. We recommend all our users to upgrade from their older versions of Advanced Installer.
Untrusted DLLs getting loaded by your setup
Normally, when you launch an EXE it loads the required DLLs. These are searched for in a list of locations. This includes: the EXE folder, the current working directory and other OS predefined folders.
An attacker will just need to place a DLL called version.dll in the Downloads folder, next to a setup downloaded by the user. When that setup is launched the malicious DLL found next to it will be loaded, instead of the real one from %WINDIR%\System32, gaining the same elevation rights as the EXE installer.
Don't name your package "setup.exe"
This type of attack relies on using names of commonly loaded DLLs, e.g. version.dll, uxtheme.dll, etc.
On top of this, if your installer is named setup.exe the OS will preload a predefined list of DLLs (e.g. version.dll), even if they are not used by your installation. This happens early, before the first line of code from your installer is executed.
Microsoft hasn't documented this behavior. However, the solution is simple: never name your installer setup.exe. Advanced Installer 12.8 will include name validations for your output installers, by raising a warning at build time if the name of your output is setup.exe.
If you liked this article check out our blog, you can read more and subscribe.