cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows loads a different library or launches a different executable than was intended by the author of a InstallShield setup launcher executable

Windows loads a different library or launches a different executable than was intended by the author of a InstallShield setup launcher executable

Summary

Best Practices to Avoid Windows Setup Launcher Executable Issues for InstallShield.

Synopsis

Several issues can, under very specific conditions, cause Windows to load a different library or launch a different executable than was intended by the author of a setup launcher executable.

Referencing a library by less than its full path. Example: requesting to load the library,
schannel.dll
instead of,
C:\Windows\System32\schannel.dll


This can cause a DLL Preloading issue. If there is a library with the name earlier in the search path than the intended library, the unintended library will be loaded.

Referencing an executable by less than its full path. Example: requesting to launch the executable,
wmplayer.exe
instead of,
?C:\Program Files\Windows Media Player\wmplayer.exe?


This can cause a Binary Planting issue. If there is an executable with the name wmplayer.exe earlier in the search path than the intended executable, the unintended executable will be launched.

Referencing an executable by its full path, but not quoting that full path when it contains space characters. Example: requesting to launch the executable,
C:\Program Files\Windows Media Player\wmplayer.exe
instead of,
?C:\Program Files\Windows Media Player\wmplayer.exe?


This can cause an Unquoted Path issue. If there is an executable with one of the following names (in quotes), that unintended executable will be launched instead of the intended executable. The other parts of the path will be mistaken as parameters:


?C:\Program.exe? Files\Windows Media Player\wmplayer.exe
?C:\Program Files\Windows.exe? Media Player\wmplayer.exe
?C:\Program Files\Windows Media.exe? Player\wmplayer.exe
This is usually called an Unquoted Service Path issue because even though a programmer can forget to put quotes around the path when launching any executable in any context, this happens most often when a setup author configures a service to be started by Windows and forgets to quote the service?s path.

Naming an executable setup.exe

Discussion

For a computer to be affected by these issues, an unauthorized person must (a) be able to place a library or executable on the computer, (b) choose the correct name of the library or executable, and (c) in some cases precisely time the placement.

If the unauthorized person?s access allows them to launch an executable with the privileges necessary for that executable to have its intended effect, they would simply launch that executable directly instead of using these methods to launch their library or executable indirectly.


InstallShield Hotfix IOJ-1745445

This issue has been published as CVE-2016-2542.

Setup authors can avoid the DLL Preloading issue by (a) not creating setup launcher executables, or (b) by creating setup launcher executables built with InstallShield Hotfix IOJ-1745445 and not using the name setup.exe for those executables. Setup launcher executables built using this hotfix call new Windows APIs which restrict the search path used to find libraries, even dependent libraries.

Setup authors can avoid the Binary Planting issue (a) by not creating setup launcher executables, or (b) by referencing the full path of each executable launched by a setup launcher executable.

Setup authors can avoid the Unquoted Service Path issue by quoting the full path of each executable which is registered as a service by a setup launcher executable.

Custom actions implemented as an executable run as their own process, so they cannot inherit the benefit of InstallShield Hotfix IOJ-1745445 calling the new Windows APIs. Those custom action executables need to follow the Windows best practice recommendations discussed on the web pages reference below.
NOTE 1: On February, 17, 2017, the Hotfixes for InstallShield 2013 SP1, InstallShield 2014 SP1, and InstallShield 2015 SP1 were updated to resolve an issue which could cause a crash on particular machines, tracked as Issue #IOJ-1771076 and Issue #IOJ-1777822.

NOTE 2: On February, 23, 2018, the Hotfixes for InstallShield 2015 SP2 and InstallShield 2016 SP2 were updated to resolve an issue which caused an improper load of ntmarta.dll to occur if it is located in the same folder as a InstallScript single .exe installer, causing a Unicode crash during setup initialization on specific Windows 7 machines, tracked as Issue #IOJ-1829226.
InstallShield 2016 SP2 Hotfix IOJ-1829226 may be downloaded here.
InstallShield 2015 SP2 Hotfix IOJ-1829226 may be downloaded here.
InstallShield 2014 SP1 Hotfix IOJ-1745445 may be downloaded here.
InstallShield 2013 SP1 Hotfix IOJ-1745445 may be downloaded here.
InstallShield 2012 Spring SP1 Hotfix IOJ-1745445 may be downloaded here.

In order to determine if the InstallShield Hotfix has been installed, verify the version of the following files:

InstallShield 2012 Spring SP1:

The following files will be updated to version 19.0.0.200, except for SuiteAppxHelper.exe which will be updated to version 20.0.0.530:

<ISInstallLocation>\Redist\0409\i386
  • dotnetfx.exe
<ISInstallLocation>\Redist\Compressed Files\Language Independent\Intel 32
  • IISRT.dll
  • SQLRT.dll
<ISInstallLocation>\Redist\Language Independent\i386
  • ISChain.exe
  • isexternalui.dll
  • ISRT.dll
  • ISSetup.dll
  • setup.exe
  • Setup_UI.dll
  • setupPreReq.exe
  • SetupSuite.exe
  • SuiteAppxHelper.exe
<ISInstallLocation>\Redist\Language Independent\x64
  • SetupSuite64.exe
<ISInstallLocation>\Redist\Language Independent\i386\ISP
  • ISSetup.dll
  • setup.exe

InstallShield 2013 SP1, InstallShield 2014 SP1, and InstallShield 2015 SP1:

The following files will be updated to the version in the table below:
InstallShield 2013 SP120.0.0.531
InstallShield 2014 SP121.0.0.351
InstallShield 2015 SP122.0.0.365
<ISInstallLocation>\Redist\0409\i386
  • dotnetfx.exe
<ISInstallLocation>\Redist\Compressed Files\Language Independent\Intel 32
  • IISRT.dll
  • SQLRT.dll
<ISInstallLocation>\Redist\Language Independent\i386
  • ISChain.exe
  • isexternalui.dll
  • ISRT.dll
  • ISSetup.dll
  • setup.exe
  • Setup_UI.dll
  • setupPreReq.exe
  • SetupSuite.exe
  • SuiteAppxHelper.exe
<ISInstallLocation>\Redist\Language Independent\x64
  • ISChain.exe
  • SetupSuite64.exe
<ISInstallLocation>\Redist\Language Independent\i386\ISP
  • ISSetup.dll
  • setup.exe
InstallShield 2016 Spring SP2:

The following files will be updated to version 23.0.0.517

<ISInstallLocation>\Redist\Language Independent\i386
  • Setup.exe
  • SetupPreReq.exe
  • SetupSuite.exe

Additional Information

Labels (1)
No ratings
Version history
Last update:
‎Nov 09, 2018 07:19 PM
Updated by: