InstallBuilder version 24.7.0 has been released. Our engineers have been working on the following improvements and bug fixes:
InstallBuilder version 24.3.0 has been released. Our engineers have been working on the following improvements and bug fixes:
We are excited to announce that Backstaff Software has acquired InstallBuilder from VMware and will take on ongoing development and maintenance of the software.
At Backstaff Software, we are committed to improving and enhancing InstallBuilder and we will continue to provide technical support to existing and future customers.
We have worked closely with VMware to make the transition seamless. Effective today, Dec 15th 2022, customers will be able to:
We would love to hear from our users about feature suggestions, issues, and comments you want to share with us! That feedback will be greatly appreciated and will help to continue to improve InstallBuilder.
Myrian Mencos
CEO
Backstaff Software
InstallBuilder version 22.10.0 has been released. Our engineers have been working on the following improvements and bug fixes:
UPDATE:
We have created a CVE entry for the “Improved DLL loading on Qt installers” (CVE-2022-31694) issue fixed in InstallBuilder 22.10.0.
DLL planting vulnerability in InstallBuilder for Qt installers (CVE-2022-31694 )
InstallBuilder for Qt Windows installers using dialog actions (popups) are vulnerable to DLL hijacking attacks.
Background
InstallBuilder Qt installers built with versions previous to 22.10 try to load DLLs from the installer binary parent directory when displaying popups. This may allow an attacker to plant a malicious DLL in the installer parent directory to allow executing code with the privileges of the installer (when the popup triggers the loading of the library.)
Exploiting these types of vulnerabilities generally requires that an attacker has access to a vulnerable machine to plant the malicious DLL.
Remediation
Affected InstallBuilder for Qt customers should update to InstallBuilder 22.10.0 or later and release new versions.
We would like to thank Marius Gabriel Mihai for reporting the issue.
InstallBuilder version 22.3.0 has been released. Our engineers have been working on the following improvements and bug fixes:
InstallBuilder version 21.12.0 has been released. Our engineers have been working on the following improvements and bug fixes:
InstallBuilder version 21.9.0 has been released. Our engineers have been working on the following improvements and bug fixes:
InstallBuilder version 21.6.0 has been released. Our engineers have been working on the following improvements and bug fixes:
UPDATE:
We have created two CVE entries for the “ Enforce full path to reg command on Windows” (CVE-2021-22037) and “ Improved uninstaller launching process on Windows” (CVE-2021-22038) issues fixed in InstallBuilder 21.6.0
InstallBuilder Windows installers are vulnerable to Path Interception by Search Order Hijacking
Under certain circumstances, when manipulating the Windows registry, InstallBuilder uses the reg.exe system command. The full path to the command is not enforced, which results in a search in the search path until a binary can be identified. This makes the uninstaller vulnerable to Path Interception by Search Order Hijacking, potentially allowing an attacker to plant a malicious reg.exe command so it takes precedence over the system command, allowing execution with the security scope of the installer/uninstaller. The attack requires previous access to the machine to be able to plant the malicious library at some point before the vulnerable installer is executed.
The vulnerability only affects Windows installers.
Affected InstallBuilder customers should update to InstallBuilder 21.6.0 or later and release new versions.
InstallBuilder Windows uninstallers are vulnerable to a binary planting attack
On Windows, the uninstaller binary copies itself to a fixed temporary location, which is then executed (the originally called uninstaller then exits, so it does not block the installation directory). This temporary location is not randomized and does not restrict access to Administrators only so a potential attacker could plant a binary to replace the copied binary right before it gets called, thus allowing execution with the security scope of the uninstaller. The attack requires previous access to the machine and to monitor the temporary directory waiting to intercept the uninstaller binary.
Affected InstallBuilder customers should update to InstallBuilder 21.6.0 or later and release new versions.
We would like to thank the Lockheed Martin Red Team and Zscaler for reporting the issue and helping us in testing the fixes.
InstallBuilder now supports MacOS ARM, making it possible to build and run installers on Macs that use the Apple M1 chip. Another improvement is the added initial support for Linux ARM. Here is the full list of changes for version 20.12.0:
InstallBuilder version 20.9.0 has been released. Our engineers have been working on the following improvements and bug fixes:
- Add support for properly detecting macOS Big Sur as running platform
- Improve <portTest> rule to never fail and log errors instead
- Added support for Zsh shell
- New <propertiesFileTest> rule
- Improved random number generator on Windows platforms
- Fixed macOS installers not properly detecting the proper runtime when running on Apple Silicon ARM Macs
- Fixed installer buttons look and feel on macOS Big Sur
- Fixed HTTPS connections not properly validating when using a proxy
- Prevent hidden parameters from invoking their rules