Important Security Updates for the Advanced Installer Auto Updater

Description | Auto Updater Vulnerability

The Auto Updater vulnerability involves the possibility of an attack that could be initialized towards an end-user machine that is running the Auto Updater, tricking it to run another EXE file that is present on that machine.

However, the vulnerability alone is insufficient for an attacker to exploit a machine.

As part of a separate attack unrelated to our Auto Updater, the attacker would additionally need to download a malicious EXE file onto the machine. The chances for an attacker to synchronize the two attacks are practically zero, and none of our customers have reported such issues so far.

Fixes | Auto Updater Security Improvements

We take all the security vulnerabilities seriously and extra cautiously thus we’ve made a few changes to the Updater’s workflow. Here are the changes you need to be aware of:

• Users can no longer download updates over an untrusted/expired HTTPS connection (before version 19.4, this was treated as a warning, and users could ignore it, if they chose so)
• When using the custom EXE detection method, the detection EXE used must be signed using the same digital certificate that was used to sign the updater.exe included in your setup package; otherwise, the check for updates will fail.

What should I do?

Advanced Installer 19.4 and newer versions include all the improvements for the vulnerability described above.

Make sure you are using Advanced Installer 19.4 or a newer version to build your setup package.

If you are not using the Auto Updater from Advanced Installer, there is no action needed.

Credit

We would like to thank Gerr.re for discovering and reporting the Auto Updater vulnerability to the Advanced Installer team.

We want you to know that we take these security improvements very seriously and advise you to upgrade your Advanced Installer version.

If you have any questions, please feel free to email us at support@advancedinstaller.com.