Summary 

Adding an InstallScript custom action to a Basic MSI or InstallScript MSI project extracts few binaries to a predefined writable folder during installation time. The standard user account has write access to these files and folders, hence replacing them during installation time can lead to a DLL hijacking vulnerability. Revenera has issued a security patch to correct this flaw. 

Resolution

This security fix avoids using known folders and only extracts to a new random secured folder every time the setup is launched. These secured folders have proper access controls so that the standard user cannot access them in all possible scenarios. 

Patch for InstallShield 2021 R2 

To apply the fix, download the InstallShield 2021 R2 Security Patch.exe and run it on the machine that has either InstallShield 2021 R2 or Standalone Build (SAB) products installed. 

Patch for InstallShield 2022 R2 

To apply the fix, download the InstallShield 2022 R2 Security Patch.exe and run it on the machine that has either InstallShield 2022 R2 or Standalone Build (SAB) products installed. 
 

To run the patch installation silently: 

Download the security patch setup to a temporary folder on the machine on which you want to apply the fix. 

1. Download the  ISSecurityPatchSilentResponseFile.zip file, extract the ISSecurityPatchSilentResponseFile.iss file from the .zip file, and place the ISSecurityPatchSilentResponseFile.iss file in the same folder as the ‘InstallShield 2022 R2 Security Patch.exe’ or ‘InstallShield 2021 R2 Security Patch.exe’ patch file. 
   
   
2. Open a Command Prompt window with elevated privileges. (To do so, right-click the shortcut for the Command Prompt window, and then click Run as administrator.) 
   
   
3. Run the following command: 
   "C:\Path\InstallShield <Version> R2 Security Patch.exe" /s /f1"C:\Path\ISSecurityPatchSilentResponseFile.iss" 
   where the path (C:\Path\) is replaced with the appropriate location and the <Version> is replaced with either 2022 or 2021.

When the patch is run, it will correct all the identified security flaws in the above products that are installed on the machine.  

 To determine if the InstallShield Hotfix has been installed, verify the version of the following files: 

The following files will be updated to version 28.0.0.763 (InstallShield 2022 R2) and version 27.0.0.126 (InstallShield 2021 R2): 
 
<ISInstallLocation>\Redist\Language Independent\i386 

• ISSetup.dll 
• setup.exe 
• setupPreReq.exe 
• SFHelper.dll 
   

<ISInstallLocation>\Redist\Language Independent\x64 

• setup.exe 
• setupPreReq.exe 
• SFHelper.dll  
   

<ISInstallLocation>\Redist\Language Independent\i386\ISP 

• ISSetup.dll
• setup.exe 
• Setup.ocx 
   

<ISInstallLocation>\System 

• ISSetup.dll