I have 2 questions about InstallShield Hotfix IOJ-1745445 and CVE-2016-2542.
Question 1) I am using visualstudio 2015 Professional and InstallShield 2015 Limited Edition. The name of the installer file I installed is "InstallShield 2015LimitedEdition.exe" and the version is 22.0.1.0.
In case of "InstallShield 2015 Limited Edition", is InstallShield hotfix "IOJ - 1745445" applied to solve the problem?
Is it effective to apply InstallShield's hotfix "IOJ - 1745445"? The file name of hotfix is IS2015_IOJ - 1745445.exe.
Question 2) Is it possible to uninstall "IOJ - 1745445" and return it to the state before applying it?
You are able to apply IS2015_IOJ-1745445.exe to your Limited Edition installation which will help reduce the risks seen in CVE-2016-2542. Once installed the hotfix cannot be uninstalled, but you can see the files that are updated at the link below.
** Please note that the hotfix is applicable to all editions of InstallShield 2015 and not all files listed as being updated are included in the Limited Edition.
==========
Setup authors can avoid the DLL Preloading issue by (a) not creating setup launcher executables, or (b) by creating setup launcher executables built with InstallShield Hotfix IOJ-1745445 and not using the name setup.exe for those executables. Setup launcher executables built using this hotfix call new Windows APIs which restrict the search path used to find libraries, even dependent libraries.
Setup authors can avoid the Binary Planting issue (a) by not creating setup launcher executables, or (b) by referencing the full path of each executable launched by a setup launcher executable.
Setup authors can avoid the Unquoted Service Path issue by quoting the full path of each executable which is registered as a service by a setup launcher executable.
Custom actions implemented as an executable run as their own process, so they cannot inherit the benefit of InstallShield Hotfix IOJ-1745445 calling the new Windows APIs.
