Show Properties   Printable View
Article

Best Practices to Avoid Windows Setup Launcher Executable Issues

:

Synopsis

 
Several issues can, under very specific conditions, cause Windows to load a different library or launch a different executable than was intended by the author of a setup launcher executable.

Issue #1 – Referencing a library by less than its full path
 
Issue #2 – Referencing an executable by less than its full path
 
Issue #3 – Referencing an executable by its full path, but not quoting that full path when it contains space characters
 
Issue #4 – Naming an executable setup.exe

Discussion

 

Examples

Here are some examples of how each issue can be caused:
 
Issue #1     requesting to load the library,
schannel.dll
instead of,
C:\Windows\System32\schannel.dll
 
This can cause a DLL Preloading issue. If there is a library with the name earlier in the search path than the intended library, the unintended library will be loaded.
 
Issue #2     requesting to launch the executable,
wmplayer.exe
instead of,
“C:\Program Files\Windows Media Player\wmplayer.exe”
 
This can cause a Binary Planting issue. If there is an executable with the name wmplayer.exe earlier in the search path than the intended executable, the unintended executable will be launched.
 
Issue #3     requesting to launch the executable,
C:\Program Files\Windows Media Player\wmplayer.exe
instead of,
“C:\Program Files\Windows Media Player\wmplayer.exe”
 
This can cause an Unquoted Path issue. If there is an executable with one of the following names (in quotes), that unintended executable will be launched instead of the intended executable. The other parts of the path will be mistaken as parameters:
 
“C:\Program.exe” Files\Windows Media Player\wmplayer.exe
“C:\Program Files\Windows.exe” Media Player\wmplayer.exe
“C:\Program Files\Windows Media.exe” Player\wmplayer.exe

This is usually called an Unquoted Service Path issue because even though a programmer can forget to put quotes around the path when launching any executable in any context, this happens most often when a setup author configures a service to be started by Windows and forgets to quote the service’s path.


Conditions

For a computer to be affected by these issues, an unauthorized person must (a) be able to place a library or executable on the computer, (b) choose the correct name of the library or executable, and (c) in some cases precisely time the placement.
 
If the unauthorized person’s access allows them to launch an executable with the privileges necessary for that executable to have its intended effect, they would simply launch that executable directly instead of using these methods to launch their library or executable indirectly.


InstallShield Hotfix IOJ-1745445

This issue has been published as CVE-2016-2542.
 
Setup authors can avoid the DLL Preloading issue by (a) not creating setup launcher executables, or (b) by creating setup launcher executables built with InstallShield Hotfix IOJ-1745445 and not using the name setup.exe for those executables. Setup launcher executables built using this hotfix call new Windows APIs which restrict the search path used to find libraries, even dependent libraries.
 
Setup authors can avoid the Binary Planting issue (a) by not creating setup launcher executables, or (b) by referencing the full path of each executable launched by a setup launcher executable.
 
Setup authors can avoid the Unquoted Service Path issue by quoting the full path of each executable which is registered as a service by a setup launcher executable.
 
Custom actions implemented as an executable run as their own process, so they cannot inherit the benefit of InstallShield Hotfix IOJ-1745445 calling the new Windows APIs. Those custom action executables need to follow the Windows best practice recommendations discussed on the web pages reference below.

NOTE: On February, 17, 2017, the Hotfixes for InstallShield 2013 SP1, InstallShield 2014 SP1, and InstallShield 2015 SP1 were updated to resolve an issue which could cause a crash on particular machines, tracked as Issue #IOJ-1771076 and Issue #IOJ-1777822.

InstallShield 2015 SP1 Hotfix IOJ-1745445 may be downloaded here.
InstallShield 2014 SP1 Hotfix IOJ-1745445 may be downloaded here.
InstallShield 2013 SP1 Hotfix IOJ-1745445 may be downloaded here.
InstallShield 2012 Spring SP1 Hotfix IOJ-1745445 may be downloaded here.


InstallAnywhere Hotfix IOJ-1756928

This issue has been published as CVE-2016-4560.
 
Setup authors can avoid the DLL Preloading issue by (a) not creating setup launcher executables, or (b) by creating setup launcher executables built with InstallAnywhere Hotfix IOJ-1756928 and not using the name setup.exe for those executables. Setup launcher executables built using this hotfix call new Windows APIs which restrict the search path used to find libraries, even dependent libraries.
 
Setup authors can avoid the Binary Planting issue (a) by not creating setup launcher executables, or (b) by referencing the full path of each executable launched by a setup launcher executable.
 
Setup authors can avoid the Unquoted Service Path issue by quoting the full path of each executable which is registered as a service by a setup launcher executable.
 
InstallAnywhere Hotfix IOJ-1756928 may be downloaded from the following links:
Hotfix Installer for Windows
Hotfix Installer for Linux (32-bit)
Hotfix Installer for Linux (64-bit)
Hotfix Installer for Mac OS X
Hotfix Installer for Solaris Sparc

Additional Information

 
In order to determine if the InstallShield Hotfix has been installed, verify the version of the following files:
 
InstallShield 2012 Spring SP1:
 
The following files will be updated to version 19.0.0.200, except for SuiteAppxHelper.exe which will be updated to version 20.0.0.530:
 
<ISInstallLocation>\Redist\0409\i386
  • dotnetfx.exe
<ISInstallLocation>\Redist\Compressed Files\Language Independent\Intel 32
  • IISRT.dll
  • SQLRT.dll
<ISInstallLocation>\Redist\Language Independent\i386
  • ISChain.exe
  • isexternalui.dll
  • ISRT.dll
  • ISSetup.dll
  • setup.exe
  • Setup_UI.dll
  • setupPreReq.exe
  • SetupSuite.exe
  • SuiteAppxHelper.exe
<ISInstallLocation>\Redist\Language Independent\x64
  • SetupSuite64.exe
<ISInstallLocation>\Redist\Language Independent\i386\ISP
  • ISSetup.dll
  • setup.exe
 
InstallShield 2013 SP1, InstallShield 2014 SP1, and InstallShield 2015 SP1:
 
The following files will be updated to the version in the table below:
 
InstallShield 2013 SP120.0.0.531
InstallShield 2014 SP121.0.0.351
InstallShield 2015 SP122.0.0.365
<ISInstallLocation>\Redist\0409\i386
  • dotnetfx.exe
<ISInstallLocation>\Redist\Compressed Files\Language Independent\Intel 32
  • IISRT.dll
  • SQLRT.dll
<ISInstallLocation>\Redist\Language Independent\i386
  • ISChain.exe
  • isexternalui.dll
  • ISRT.dll
  • ISSetup.dll
  • setup.exe
  • Setup_UI.dll
  • setupPreReq.exe
  • SetupSuite.exe
  • SuiteAppxHelper.exe
<ISInstallLocation>\Redist\Language Independent\x64
  • ISChain.exe
  • SetupSuite64.exe
<ISInstallLocation>\Redist\Language Independent\i386\ISP
  • ISSetup.dll
  • setup.exe
Previous MonthNext Month
SunMonTueWedThuFriSat