2021/10/19

InstallBuilder 21.9.0 Released

InstallBuilder version 21.9.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Initial support for macOS Monterey
  • Support AdoptOpenJDK vendor when autodetecting Java
  • Improved visibility of installer initialization errors on Windows
  • Improved <createJavaLaunchers> creation to avoid creation issues with the file being locked on Windows
  • Fixed macOS Admin launcher not stored as executable when using <createOsxBundleZip>
  • Support query parameters in AutoUpdate download URLs
  • Enforced AutoUpdate macOS bundle permissions
  • Fixed display issues on macOS Monterey
  • Fixed Builder popups failing on macOS Monterey
  • Fixed osxsigner tool not signing the osx-arm64 runtime when using native signing

InstallBuilder 21.6.0 Released

InstallBuilder version 21.6.0 has been released. Our engineers have been working on the following improvements and bug fixes:

  • Enabled Qt Professional and Professional flavors to build linux-arm32 and linux-arm64
  • Updated documentation and updated its look and feel
  • Always include osx-x86_64 runtime when generating uninstallers on macOS M1 machines
  • Support using three lines of text in installer pages titles without any cropping
  • Improved installers compatibility when running on macOS M1
  • Improved uninstaller launching process on Windows
  • Enforce full path to reg command on Windows
  • Fixed environment modification actions not properly preserving Unicode characters on Unix
  • Fixed installers crashing on some macOS 10.14.6 environments

2020/12/29

InstallBuilder 20.12.0 Released

InstallBuilder now supports MacOS ARM, making it possible to build and run installers on Macs that use the Apple M1 chip. Another improvement is the added initial support for Linux ARM. Here is the full list of changes for version 20.12.0:

  • Added macOS ARM support
  • Added initial support for Linux ARM
  • Improved Linux distribution detection
  • Improved buttons look and feel on macOS Catalina and newer
  • Improved dependencies loading on Windows 7
  • Fixed redraw glitch on Windows when using some complex parameter groups

2020/10/16

InstallBuilder 20.9 available for download now

InstallBuilder version 20.9.0 has been released. Our engineers have been working on the following improvements and bug fixes:

- Add support for properly detecting macOS Big Sur as running platform
- Improve <portTest> rule to never fail and log errors instead
- Added support for Zsh shell
- New <propertiesFileTest> rule
- Improved random number generator on Windows platforms
- Fixed macOS installers not properly detecting the proper runtime when running on Apple Silicon ARM Macs
- Fixed installer buttons look and feel on macOS Big Sur
- Fixed HTTPS connections not properly validating when using a proxy
- Prevent hidden parameters from invoking their rules 

2020/08/21

InstallBuilder 20.7.0 Released


InstallBuilder 20.7.0 has been released. In addition to minor fixes, it updates internal dependencies and how they are loaded on Windows systems. These improvements solve an internal security vulnerability (more details to follow) so updating to this version is encouraged for all users, especially Qt users.

Here is the complete changelog for the release:

  • Improved internal dependencies loading on Windows
  • Log uninstaller exit code
  • Updated internal dependencies on Windows x86
  • Fixed <userTest> account type checks not properly working on Windows x64
  • Fixed <runProgram> failing to run inside internationalised directory wen using <wrapInScript> on Windows
  • Fixed Qt installers looking for plugins by default at install time

UPDATE:

We have created a CVE entry (CVE-2020-3979) for the "Fixed Qt installers looking for plugins by default at install time"
issue fixed in InstallBuilder 20.7.0.

DLL planting vulnerability on InstallBuilder for Qt Windows installers

InstallBuilder for Qt Windows installers are vulnerable to dll planting attacks.


Background

InstallBuilder for Qt Windows installers look for plugins at a predictable location at initialization time, writable by non-admin users. While those plugins are not required, they are loaded if present, which could allow an attacker to plant a malicious library which could result in code execution with the security scope of the installer. The attack requires previous access to the machine to be able to plant the malicious library at some point before the vulnerable installer is executed.

Remediation

Affected InstallBuilder for Qt customers should update to InstallBuilder 20.7.0 or later and release new versions.


We would like to thank Hou JingYi (@hjy79425575) of Qihoo 360 CERT (https://houjingyi233.com/) for reporting the issue to us.

2020/07/02

VMware InstallBuilder 20.6.0 available now

We recently released version 20.6.0 of VMware InstallBuilder. The new release features the following improvements::

  • Fixed <xmlFileGet> and <xmlFileSet> failing on some environments
  • Fixed Windows x64 installers failing to display HTML licenses on win32 mode
  • Fixed failure to load some projects when overriding common attributes in custom actions
  • Fixed <iniFileTest> rule not properly serialized into project files
  • Prevent macOS Catalina from not allowing running overridden signed binaries because of signature caching 

2020/05/05

VMware InstallBuilder 20.4.0 released

For this release our engineers have focussed on adding the following improvements:


  • Fixed build failure when providing malformed booleans for the <enableDebugger> setting
  • Fixed high memory usage at build time when packing files by dereferencing links on Windows
  • Updated internal dependencies

 

2020/02/20

VMware InstallBuilder

As you might know in May 2019 BitRock was acquired by VMware Inc. Due to that, this week we have implemented a few changes you should know about. To start, you can now find the InstallBuilder website at https://installbuilder.com. Starting from version 20.2.2 InstallBuilder has been renamed to VMWare InstallBuilder. While the software can still be downloaded from the InstallBuilder website, from now on licenses need to be purchased trough the official VMWare store. The purchase section of our website will automatically redirect you to the right product in the VMware store: https://installbuilder.com/purchase.html. The types of licenses and the product's pricing have not changed and you can expect the same high level of quality of support and maintenance you are accustomed to.
Here is the complete list of changes for VMware InstallBuilder 20.2:


  • Rebranded to VMware InstallBuilder
  • Improved timestamping error detection when signing macOS installers on non-macOS platforms
  • Prevent uninstaller from crashing when failing to check for empty directories because of lack of permissions

2019/12/03

Configure autoupdate project settings from the command line


We have recently released InstallBuilder 19.11.0. With this update it's now possible to use --setvars with the autoupdate builder. This allows you to set different autoupdate project settings and variables from the command line variables in the command line. For example:

./autoupdate/bin/customize.run build autoupdate-project.xml linux-x64 --setvars autoupdate.installerFilename=sample.run

Here is the complete list of improvements:


  • Updated HTTP/HTTPS internal dependencies
  • Improved AutoUpdate handling of malformed update.xml files [CVE-2020-3946]
  • Support --setvars command-line option when building the AutoUpdate
  • Support customizing license file location when building the AutoUpdate
  • Improved images rendering on macOS Builder
  • Improved Windows installers exit handling
  • Added .NET 4.8 autodetection
  • Updated documentation
  • Fixed <enableSsl> not honored on Windows at uninstallation time when using signed uninstallers
  • Fixed startmenu shortcuts not being created on windows-x64 installers
  • Fixed HTTP actions not honoring customized Accept header
  • Fixed false signing failure detection when building on macOS Catalina

UPDATE:

We have created a CVE entry (CVE-2020-3946) for the "AutoUpdate handling of malformed update.xml files" issue fixed in InstallBuilder 19.11.0, which could be exploited to crash the AutoUpdate process:


Denial Of Service attack when checking for Updates
InstallBuilder AutoUpdate tool and regular installers enabling <checkForUpdates> built with versions earlier than 19.11 are vulnerable to Billion laughs attack (denial-of-service).
Background
When checking for updates, the configured remote server is contacted to retrieve an XML containing information about the existing installer versions. This XML is then loaded in memory in the user machine. An attacker can forge a special XML exploiting entity expansion that will result in the AutoUpdate consuming system memory until it crashes.
Exploiting this vulnerability requires an attacker to either place the malicious XML in the updates remote server (or to impersonate it via DNS spoofing) or by modifying the updates URL in the user machine updates.ini file.
Remediation
Affected InstallBuilder customers using the <checkForUpdates> functionality or distributing the AutoUpdate should update to version 19.11.0 or later and release new versions.

Our engineers have evaluated this issue to have CVSSv3 score of 5.4

We would like to thank Tesla Red Team for reporting this issue to us.


2019/10/03

Version 19.8.0 and 19.9.0 released

We recently released version 19.8.0 and 19.9.0 of BitRock InstallBuilder. The new release features the following improvements:

Version 19.9.0
  • Fixed <runProgram> action failing on macOS 10.15 when running in the <postUninstallationActionList>
  • Fixed Asian languages not being properly displayed on macOS 10.15 when running in Qt mode
  • Preserve built-in registry keys wowMode when updating 32bit Windows installations with Windows 64bit
  • Support customizing built-in command-line flags descriptions
  • Fixed signing of big DMGs on Windows

Version 19.8.0

  • Improved <findFile> performance
  • Improved disabled controls look and feel on macOS
  • Improved widgets text wrapping on macOS
  • Added support for HTML licenses in xwindow mode
  • Fixed Gtk and Qt proxy pages duplicating its description text
  • Fixed <queryWMI> returning only a single result in windows-x64 installers
  • Fixed deletion of registry keys when not providing a specific <name> and setting <wowMode> to 32 in windows-x64 installers
  • Updated documentation

2019/08/12

Installer tampering while preserving authenticode signature 

Windows binaries generated with InstallBuilder versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. 

This issue was reported by Youfu Zhang of Chaitin Security Research Lab (@ChaitinTech). After verifying Mr. Zhang’s report, we released an updated version of InstallBuilder and notified our existing customers so they could re-build and re-release their installers. 

Background 

Authenticode is a Windows technology designed to ensure executable files cannot be tampered with. It allows for adding unauthenticated attributes post-signing without invalidating the signature, as described in the following article:  https://blogs.msdn.microsoft.com/ieinternals/2014/09/04/caveats-for-authenticode-code-signing/ InstallBuilder installers created with versions earlier than 19.7.0 are vulnerable to tampering even if they contain a valid Authenticode signature. A specially crafted payload can be appended to an existing installer and trick the installer initialization code to execute code included in it, while the existing signature remains valid. 

Remediation 

InstallBuilder customers should re-build and re-release their installers using version 19.7.0 or later. Because this issue can be exploited with existing binaries already released, they should also remind their users to only download installers from official sources. Additionally, providing a hash (such as SHA-256) for the binaries enables customers a secondary way of ensuring the integrity of the installers: while the Authenticode signature may still be valid, modified installers will have a different hash.  
A ‘hard revocation’ of the customer Authenticode signing certificate is an optional, alternative step. Unfortunately it has many practical limitations. In addition to invalidating potentially modified installers, it will invalidate legitimate installers, including existing deployments of customer’s application binaries that may have been signed with the same certificate. Even with a revoked certificate, various versions of Windows will still allow binaries to be executed.  
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2019-5530 to this issue. Bitrock engineers have evaluated this issue to have a CVSSv3 score of 6.7 
Bitrock would like to thank Youfu Zhang’s for responsibly reporting this issue to us. 

You can download the latest version of InstallBuilder from our download page. If you have any questions regarding this security issue, or if you need any help with upgrading your installer, please do not hesitate to contact BitRock Support through email at support@bitrock.com or through our Help Desk.

Conclusion 

Given the potential impact of this security issue, we urge our users to upgrade and re-build their installers as soon as possible. 

2019/07/04

Added notarization support

As you might know for the upcoming macOS Catalina (10.15) Apple will require applications signed with a Developer ID to be submitted for notarization. An important requirement for notarization is that the application has a hardened runtime enabled. For that reason InstallBuilder now supports creating macOS signatures with the hardened runtime capability enabled, allowing the installers to be notarized by Apple. Here is an overview of the changes for InstallBuilder 19.6.0

  • Support creating macOS signatures with hardened runtime enabled to allow notarization
  • POTENTIAL INCOMPATIBILITY: Changed <osxPlatforms> default value to osx-x86_64
  • New installer_http_proxy variable to programmatically access the provided proxy information
  • Updated documentation
  • Fixed some Windows configuration attributes not being properly applied to windows-x64 Java launchers
  • Fixed proxy page not honoring the provided configuration when running in text mode
  • Fixed Linux builder failing on some environments with misconfigured time zone
  • Fixed missing localized string

2019/05/16

Added support for Windows native 64-bit installer binaries

InstallBuilder 19.5.0 is now available and comes with an important update.

As you may know, InstallBuilder already comes with support for building native 64-bit installers for Linux and macOS. We are happy to announce that we've added support for building native 64bit installers for Windows as well.

This provides multiple benefits compared to existing approach.  While previously it was possible to make InstallBuilder installers behave like a 64-bit application, the binary runtime was actually 32-bit binary and required 32-bit support in the operating system.

With the new approach, it is possible to use the installers inside Windows flavors that only allow running 64-bit binaries, such as Windows Nano Server. Creating 64-bit binaries also allows configuring larger block sizes for the installer, by setting larger values for the <lzmaUltraBlockSize> project property. This allows the creation of smaller installers. However, with the 32-bit binaries, setting the block size increases memory usage and memory fragmentation, which can lead to the installer failing. This is now possible and fully supported with 64-bit Windows binaries.

To build native 64bit installers, all that is needed is to specify `windows-x64` as the build platform - such as the by running the following in the command line:

    ./builder.exe build sample.xml windows-x64

Here is the complete list of changes for version 19.5.0:

  • Added new windows-x64 build platform
  • Added 64-bit version of osxsigner tool
  • Fixed malformed logic in <iniFileTest> rule
  • Fixed welcome page displaying truncated trailing letters on some macOS environments
  • Updated documentation


2019/05/13

InstallBuilder 19.4.0 and 19.4.1 released

We recently released version 19.4.0 and 19.4.1. Among other improvements and bug fixes, we have extended the <componentTest> rule which now allows you to check if a parent component is selected. You can do so by setting the new <checkParentComponents> property.  

<componentTest>
  <logic>selected</logic>
  <name>childcomponent</name>
  <checkParentComponents>1</checkParentComponents>
</componentTest>

Here is the full list of improvements for both releases. 



Version 19.4.1:

  • Fixed incorrect final page layout on macOS when enabling the osx-x86_64 runtime

  • Improved <setInstallerVariableFromRegEx> error reporting

Version 19.4.0


  • Improved <getPermissions> error reporting when operating over non-existent files

  • Fixed Windows AutoUpdate generation failing because of malformed default icon

  • Allow <componentTest> rule to take into account parent components in its checks