InstallBuilder Blog

InstallBuilder 24.3.0 Released Mar 8

InstallBuilder version 24.3.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Properly detect macOS 13
  • Support programmatically disabling buttons
  • Improved <getFreeDiskSpace> to gracefully handle scenarios with erroneous filesystems on macOS
  • Improve language detection on macOS
  • Updated documentation
  • Updated internal dependencies

Backstaff Software acquires InstallBuilder Dec 15

We are excited to announce that Backstaff Software has acquired InstallBuilder from VMware and will take on ongoing development and maintenance of the software.

At Backstaff Software, we are committed to improving and enhancing InstallBuilder and we will continue to provide technical support to existing and future customers.

We have worked closely with VMware to make the transition seamless. Effective today, Dec 15th 2022, customers will be able to:

We would love to hear from our users about feature suggestions, issues, and comments you want to share with us! That feedback will be greatly appreciated and will help to continue to improve InstallBuilder.

Myrian Mencos

CEO

Backstaff Software

InstallBuilder 22.10.0 released Nov 2

InstallBuilder version 22.10.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Support using HTML values in <infoParameter> for all graphical modes
  • Added new <enableGlobMatching> setting to <deleteFile> action to allow deleting special filenames
  • Improved generation of unique identifiers
  • Improved DLL loading on Qt installers
  • Improved windows 32-bit runtimes to prevent false positives in some antivirus vendors
  • Updated documentation

UPDATE:

We have created a CVE entry for the Improved DLL loading on Qt installers (CVE-2022-31694) issue fixed in InstallBuilder 22.10.0.

DLL planting vulnerability in InstallBuilder for Qt installers (CVE-2022-31694 )

InstallBuilder for Qt Windows installers using dialog actions (popups) are vulnerable to DLL hijacking attacks.

Background

InstallBuilder Qt installers built with versions previous to 22.10 try to load DLLs from the installer binary parent directory when displaying popups. This may allow an attacker to plant a malicious DLL in the installer parent directory to allow executing code with the privileges of the installer (when the popup triggers the loading of the library.)

Exploiting these types of vulnerabilities generally requires that an attacker has access to a vulnerable machine to plant the malicious DLL.

Remediation

Affected InstallBuilder for Qt customers should update to InstallBuilder 22.10.0 or later and release new versions.

We would like to thank Marius Gabriel Mihai for reporting the issue.

InstallBuilder 22.3.0 released May 18

InstallBuilder version 22.3.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Improved signing errors reporting
  • Updated internal dependencies
  • Support built-in macOS signing using G2 certificates
  • Fixed typo in Ukrainian translation
  • Fixed qt installers crashing on Linux systems reporting incorrect screen metrics

InstallBuilder 21.12.0 released Feb 4

InstallBuilder version 21.12.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Added support for Windows 11 and Windows 2022
  • Improved temporary file creation on macOS
  • Improved Java versions detection
  • New windows_os_build_number built-in variable
  • Support Centos 6 in linux-arm64 installers
  • Fixed DMGs created on Windows not working on macOS Monterey
  • Fixed Linux installers failing on some Wayland environments

InstallBuilder 21.9.0 Released Oct 19

InstallBuilder version 21.9.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Initial support for macOS Monterey
  • Support AdoptOpenJDK vendor when autodetecting Java
  • Improved visibility of installer initialization errors on Windows
  • Improved <createJavaLaunchers> creation to avoid creation issues with the file being locked on Windows
  • Fixed macOS Admin launcher not stored as executable when using <createOsxBundleZip>
  • Support query parameters in AutoUpdate download URLs
  • Enforced AutoUpdate macOS bundle permissions
  • Fixed display issues on macOS Monterey
  • Fixed Builder popups failing on macOS Monterey
  • Fixed osxsigner tool not signing the osx-arm64 runtime when using native signing

InstallBuilder 21.6.0 Released Oct 19

InstallBuilder version 21.6.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Enabled Qt Professional and Professional flavors to build linux-arm32 and linux-arm64
  • Updated documentation and updated its look and feel
  • Always include osx-x86_64 runtime when generating uninstallers on macOS M1 machines
  • Support using three lines of text in installer pages titles without any cropping
  • Improved installers compatibility when running on macOS M1
  • Improved uninstaller launching process on Windows
  • Enforce full path to reg command on Windows
  • Fixed environment modification actions not properly preserving Unicode characters on Unix
  • Fixed installers crashing on some macOS 10.14.6 environments

UPDATE:

We have created two CVE entries for the “ Enforce full path to reg command on Windows” (CVE-2021-22037) and “ Improved uninstaller launching process on Windows” (CVE-2021-22038) issues fixed in InstallBuilder 21.6.0

Search Order Hijacking when performing registry actions ( CVE-2021-22037 )

InstallBuilder Windows installers are vulnerable to Path Interception by Search Order Hijacking

Background

Under certain circumstances, when manipulating the Windows registry, InstallBuilder uses the reg.exe system command. The full path to the command is not enforced, which results in a search in the search path until a binary can be identified. This makes the uninstaller vulnerable to Path Interception by Search Order Hijacking, potentially allowing an attacker to plant a malicious reg.exe command so it takes precedence over the system command, allowing execution with the security scope of the installer/uninstaller. The attack requires previous access to the machine to be able to plant the malicious library at some point before the vulnerable installer is executed.

The vulnerability only affects Windows installers.

Remediation

Affected InstallBuilder customers should update to InstallBuilder 21.6.0 or later and release new versions.

Binary planting at uninstall time (CVE-2021-22038 )

InstallBuilder Windows uninstallers are vulnerable to a binary planting attack

Background

On Windows, the uninstaller binary copies itself to a fixed temporary location, which is then executed (the originally called uninstaller then exits, so it does not block the installation directory). This temporary location is not randomized and does not restrict access to Administrators only so a potential attacker could plant a binary to replace the copied binary right before it gets called, thus allowing execution with the security scope of the uninstaller. The attack requires previous access to the machine and to monitor the temporary directory waiting to intercept the uninstaller binary.

Remediation

Affected InstallBuilder customers should update to InstallBuilder 21.6.0 or later and release new versions.

We would like to thank the Lockheed Martin Red Team and Zscaler for reporting the issue and helping us in testing the fixes.

InstallBuilder 20.12.0 Released Dec 29

InstallBuilder now supports MacOS ARM, making it possible to build and run installers on Macs that use the Apple M1 chip. Another improvement is the added initial support for Linux ARM. Here is the full list of changes for version 20.12.0:

  • Added macOS ARM support
  • Added initial support for Linux ARM
  • Improved Linux distribution detection
  • Improved buttons look and feel on macOS Catalina and newer
  • Improved dependencies loading on Windows 7
  • Fixed redraw glitch on Windows when using some complex parameter groups

InstallBuilder 20.9 available for download now Oct 16

InstallBuilder version 20.9.0 has been released. Our engineers have been working on the following improvements and bug fixes:

- Add support for properly detecting macOS Big Sur as running platform

- Improve <portTest> rule to never fail and log errors instead

- Added support for Zsh shell

- New <propertiesFileTest> rule

- Improved random number generator on Windows platforms

- Fixed macOS installers not properly detecting the proper runtime when running on Apple Silicon ARM Macs

- Fixed installer buttons look and feel on macOS Big Sur

- Fixed HTTPS connections not properly validating when using a proxy

- Prevent hidden parameters from invoking their rules

InstallBuilder 20.7.0 Released Aug 21

InstallBuilder 20.7.0 has been released. In addition to minor fixes, it updates internal dependencies and how they are loaded on Windows systems. These improvements solve an internal security vulnerability (more details to follow) so updating to this version is encouraged for all users, especially Qt users.

Here is the complete changelog for the release:

  • Improved internal dependencies loading on Windows
  • Log uninstaller exit code
  • Updated internal dependencies on Windows x86
  • Fixed <userTest> account type checks not properly working on Windows x64
  • Fixed <runProgram> failing to run inside internationalised directory wen using <wrapInScript> on Windows
  • Fixed Qt installers looking for plugins by default at install time

UPDATE:

We have created a CVE entry (CVE-2020-3979) for the “Fixed Qt installers looking for plugins by default at install time”

issue fixed in InstallBuilder 20.7.0.

DLL planting vulnerability on InstallBuilder for Qt Windows installers

InstallBuilder for Qt Windows installers are vulnerable to dll planting attacks.

Background

InstallBuilder for Qt Windows installers look for plugins at a predictable location at initialization time, writable by non-admin users. While those plugins are not required, they are loaded if present, which could allow an attacker to plant a malicious library which could result in code execution with the security scope of the installer. The attack requires previous access to the machine to be able to plant the malicious library at some point before the vulnerable installer is executed.

Remediation

Affected InstallBuilder for Qt customers should update to InstallBuilder 20.7.0 or later and release new versions.

We would like to thank Hou JingYi (@hjy79425575) of Qihoo 360 CERT ( https://houjingyi233.com/) for reporting the issue to us.