InstallBuilder 22.10.0 released

Published on

InstallBuilder version 22.10.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Support using HTML values in <infoParameter> for all graphical modes
  • Added new <enableGlobMatching> setting to <deleteFile> action to allow deleting special filenames
  • Improved generation of unique identifiers
  • Improved DLL loading on Qt installers
  • Improved windows 32-bit runtimes to prevent false positives in some antivirus vendors
  • Updated documentation

UPDATE:

We have created a CVE entry for the "Improved DLL loading on Qt installers" (CVE-2022-31694) issue fixed in InstallBuilder 22.10.0.

DLL planting vulnerability in InstallBuilder for Qt installers (CVE-2022-31694 )

InstallBuilder for Qt Windows installers using dialog actions (popups) are vulnerable to DLL hijacking attacks.

Background

InstallBuilder Qt installers built with versions previous to 22.10 try to load DLLs from the installer binary parent directory when displaying popups. This may allow an attacker to plant a malicious DLL in the installer parent directory to allow executing code with the privileges of the installer (when the popup triggers the loading of the library.)

Exploiting these types of vulnerabilities generally requires that an attacker has access to a vulnerable machine to plant the malicious DLL.

Remediation

Affected InstallBuilder for Qt customers should update to InstallBuilder 22.10.0 or later and release new versions.

We would like to thank Marius Gabriel Mihai for reporting the issue.