This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
tkeyser
Level 2
- Revenera Community
- :
- About tkeyser
May 08, 2024
03:42 PM
When an admin chooses a custom path, does InstallShield provide permission/ACL support for all of the new items in the path?
... View more
Labels
- Labels:
-
InstallShield 2016 Professional
May 14, 2021
09:12 AM
There appears to be an issue in the installshield code. After an installation occurs and the user runs a repair on the installation, the repair option allows any user to execute the action without admin privileges. ISBEW64.exe appears to be the culprit, which from my understanding is packaged with installshield and we do not have access to it? When the repair action is invoked, the exe is copied to the windows temp directory and can be manipulated by anyone with system level access. The modify and remove actions in the maintenance options don't appear to have this issue as they require admin rights to continue. We cannot simply just remove the repair option as there are three ways to invoke it: MSI dialog box by either clicking on the msi again or under programs and features Right clicking the msi and clicking on repair Running msiexec /f to force a repair to run The second and third ways are based on computer configuration so we don't have control over that. There was a Microsoft patch back in January that potentially addressed the issue but after installing the patch, the problem still persists. References: https://improsec.com/tech-blog/the-many-pitfalls-of-windows-msi-privilege-escalation-in-windows-78110server-and-a-range-of-third-party-products https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1661 Please advise on how to resolve this from our end. If we are simply missing something in the configuration that will require the repair step to need admin rights, or if this is a bug on the installshield end that would require a patch fix from your end. We are using installshield 2016 for editing the ISM file and 2019 to build it.
... View more
Labels
- Labels:
-
InstallShield 2019
Latest posts by tkeyser
Subject | Views | Posted |
---|---|---|
102 | May 08, 2024 03:42 PM | |
2452 | May 14, 2021 09:12 AM |
Activity Feed
- Posted ACL support for custom installs on InstallShield Forum. May 08, 2024 03:42 PM
- Posted MSI repair option executes without requiring admin privileges on InstallShield Forum. May 14, 2021 09:12 AM
Contact Me
Online Status |
Offline
|
Date Last Visited |
May 09, 2024
02:52 AM
|