Important Security Updates for the Advanced Installer Auto Updater

Written by Alexandra Stoienescu · June 9th, 2022 · 2min read

Continuously managing security improvements and updates, as we do at Advanced Installer, should be your top priority.

At the beginning of this spring, with the release of Advanced Installer 19.4, we implemented several improvements to mitigate potential security exploits that could affect customers who use the Auto Updater feature of Advanced Installer.

Description | Auto Updater Vulnerability

The Auto Updater vulnerability involves the possibility of an attack that could be initialized towards an end-user machine that is running the Auto Updater, tricking it to run another EXE file that is present on that machine.

However, the vulnerability alone is insufficient for an attacker to exploit a machine.

As part of a separate attack unrelated to our Auto Updater, the attacker would additionally need to download a malicious EXE file onto the machine. The chances for an attacker to synchronize the two attacks are practically zero, and none of our customers have reported such issues so far.

Fixes | Auto Updater Security Improvements

We take all the security vulnerabilities seriously and extra cautiously thus we’ve made a few changes to the Updater’s workflow. Here are the changes you need to be aware of:

  • Users can no longer download updates over an untrusted/expired HTTPS connection (before version 19.4, this was treated as a warning, and users could ignore it, if they chose so)
  • When using the custom EXE detection method, the detection EXE used must be signed using the same digital certificate that was used to sign the updater.exe included in your setup package; otherwise, the check for updates will fail.

What should I do?

Advanced Installer 19.4 and newer versions include all the improvements for the vulnerability described above.

Make sure you are using Advanced Installer 19.4 or a newer version to build your setup package.

If you are not using the Auto Updater from Advanced Installer, there is no action needed.

Credit

We would like to thank Gerr.re for discovering and reporting the Auto Updater vulnerability to the Advanced Installer team.

We want you to know that we take these security improvements very seriously and advise you to upgrade your Advanced Installer version.

If you have any questions, please feel free to email us at support@advancedinstaller.com.

Subscribe to Our Newsletter

Sign up for free and be the first to receive the latest news, videos, exclusive How-Tos, and guides from Advanced Installer.

Comments: