Installer Vulnerability

January 7th, 2016 - Thursday


A vulnerability in all Windows OSes allows a malicious DLL to hijack your EXE installer upon launch. While the EXE shows your legitimate digital signature the attacker DLL will be able to run in the background.

MSI packages are not affected by this vulnerability, only EXE installers.

Action Required

Advanced Installer 12.7 contains a security release for this problem. We recommend all our users to upgrade from their older versions of Advanced Installer.

Untrusted DLLs getting loaded by your setup

Normally, when you launch an EXE it loads the required DLLs. These are searched for in a list of locations. This includes: the EXE folder, the current working directory and other OS predefined folders.

An attacker will just need to place a DLL called version.dll in the Downloads folder, next to a setup downloaded by the user. When that setup is launched the malicious DLL found next to it will be loaded, instead of the real one from %WINDIR%\System32, gaining the same elevation rights as the EXE installer.

Don't name your package "setup.exe"

This type of attack relies on using names of commonly loaded DLLs, e.g. version.dll, uxtheme.dll, etc.

On top of this, if your installer is named setup.exe the OS will preload a predefined list of DLLs (e.g. version.dll), even if they are not used by your installation. This happens early, before the first line of code from your installer is executed.

Microsoft hasn't documented this behavior. However, the solution is simple: never name your installer setup.exe. Advanced Installer 12.8 will include name validations for your output installers, by raising a warning at build time if the name of your output is setup.exe.