cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pandanarabe
Level 2

InstallShield 2015 LE & Hotfix "IOJ-1745445"

I have 2 questions about InstallShield Hotfix IOJ-1745445 and CVE-2016-2542.

Question 1)
I am using visualstudio 2015 Professional and InstallShield 2015 Limited Edition.
The name of the installer file I installed is "InstallShield 2015LimitedEdition.exe" and the version is 22.0.1.0.

In case of "InstallShield 2015 Limited Edition", is InstallShield hotfix "IOJ - 1745445" applied to solve the problem?

Is it effective to apply InstallShield's hotfix "IOJ - 1745445"?
The file name of hotfix is IS2015_IOJ - 1745445.exe.


Question 2)
Is it possible to uninstall "IOJ - 1745445" and return it to the state before applying it?

Answer please.
0 Kudos
(2) Replies
JohnTech
Level 6 Flexeran
Level 6 Flexeran

You are able to apply IS2015_IOJ-1745445.exe to your Limited Edition installation which will help reduce the risks seen in CVE-2016-2542. Once installed the hotfix cannot be uninstalled, but you can see the files that are updated at the link below.

** Please note that the hotfix is applicable to all editions of InstallShield 2015 and not all files listed as being updated are included in the Limited Edition.

==========

Setup authors can avoid the DLL Preloading issue by (a) not creating setup launcher executables, or (b) by creating setup launcher executables built with InstallShield Hotfix IOJ-1745445 and not using the name setup.exe for those executables. Setup launcher executables built using this hotfix call new Windows APIs which restrict the search path used to find libraries, even dependent libraries.

Setup authors can avoid the Binary Planting issue (a) by not creating setup launcher executables, or (b) by referencing the full path of each executable launched by a setup launcher executable.

Setup authors can avoid the Unquoted Service Path issue by quoting the full path of each executable which is registered as a service by a setup launcher executable.

Custom actions implemented as an executable run as their own process, so they cannot inherit the benefit of InstallShield Hotfix IOJ-1745445 calling the new Windows APIs.



https://flexeracommunity.force.com/customer/articles/en_US/INFO/Best-Practices-to-Avoid-Windows-Setup-Launcher-Executable-Issues

==========
0 Kudos
pandanarabe
Level 2

Hello jKell,

Thank you for your response regarding InstallShield 2015 LE and CVE - 2016 - 2542.

thank you.
panda
0 Kudos