2020/12/29

InstallBuilder 20.12.0 Released

InstallBuilder now supports MacOS ARM, making it possible to build and run installers on Macs that use the Apple M1 chip. Another improvement is the added initial support for Linux ARM. Here is the full list of changes for version 20.12.0:

  • Added macOS ARM support
  • Added initial support for Linux ARM
  • Improved Linux distribution detection
  • Improved buttons look and feel on macOS Catalina and newer
  • Improved dependencies loading on Windows 7
  • Fixed redraw glitch on Windows when using some complex parameter groups

2020/10/16

InstallBuilder 20.9 available for download now

InstallBuilder version 20.9.0 has been released. Our engineers have been working on the following improvements and bug fixes:

- Add support for properly detecting macOS Big Sur as running platform
- Improve <portTest> rule to never fail and log errors instead
- Added support for Zsh shell
- New <propertiesFileTest> rule
- Improved random number generator on Windows platforms
- Fixed macOS installers not properly detecting the proper runtime when running on Apple Silicon ARM Macs
- Fixed installer buttons look and feel on macOS Big Sur
- Fixed HTTPS connections not properly validating when using a proxy
- Prevent hidden parameters from invoking their rules 

2020/08/21

InstallBuilder 20.7.0 Released


InstallBuilder 20.7.0 has been released. In addition to minor fixes, it updates internal dependencies and how they are loaded on Windows systems. These improvements solve an internal security vulnerability (more details to follow) so updating to this version is encouraged for all users, especially Qt users.

Here is the complete changelog for the release:

  • Improved internal dependencies loading on Windows
  • Log uninstaller exit code
  • Updated internal dependencies on Windows x86
  • Fixed <userTest> account type checks not properly working on Windows x64
  • Fixed <runProgram> failing to run inside internationalised directory wen using <wrapInScript> on Windows
  • Fixed Qt installers looking for plugins by default at install time

UPDATE:

We have created a CVE entry (CVE-2020-3979) for the "Fixed Qt installers looking for plugins by default at install time"
issue fixed in InstallBuilder 20.7.0.

DLL planting vulnerability on InstallBuilder for Qt Windows installers

InstallBuilder for Qt Windows installers are vulnerable to dll planting attacks.


Background

InstallBuilder for Qt Windows installers look for plugins at a predictable location at initialization time, writable by non-admin users. While those plugins are not required, they are loaded if present, which could allow an attacker to plant a malicious library which could result in code execution with the security scope of the installer. The attack requires previous access to the machine to be able to plant the malicious library at some point before the vulnerable installer is executed.

Remediation

Affected InstallBuilder for Qt customers should update to InstallBuilder 20.7.0 or later and release new versions.


We would like to thank Hou JingYi (@hjy79425575) of Qihoo 360 CERT (https://houjingyi233.com/) for reporting the issue to us.

2020/07/02

VMware InstallBuilder 20.6.0 available now

We recently released version 20.6.0 of VMware InstallBuilder. The new release features the following improvements::

  • Fixed <xmlFileGet> and <xmlFileSet> failing on some environments
  • Fixed Windows x64 installers failing to display HTML licenses on win32 mode
  • Fixed failure to load some projects when overriding common attributes in custom actions
  • Fixed <iniFileTest> rule not properly serialized into project files
  • Prevent macOS Catalina from not allowing running overridden signed binaries because of signature caching 

2020/05/05

VMware InstallBuilder 20.4.0 released

For this release our engineers have focussed on adding the following improvements:


  • Fixed build failure when providing malformed booleans for the <enableDebugger> setting
  • Fixed high memory usage at build time when packing files by dereferencing links on Windows
  • Updated internal dependencies

 

2020/02/20

VMware InstallBuilder

As you might know in May 2019 BitRock was acquired by VMware Inc. Due to that, this week we have implemented a few changes you should know about. To start, you can now find the InstallBuilder website at https://installbuilder.com. Starting from version 20.2.2 InstallBuilder has been renamed to VMWare InstallBuilder. While the software can still be downloaded from the InstallBuilder website, from now on licenses need to be purchased trough the official VMWare store. The purchase section of our website will automatically redirect you to the right product in the VMware store: https://installbuilder.com/purchase.html. The types of licenses and the product's pricing have not changed and you can expect the same high level of quality of support and maintenance you are accustomed to.
Here is the complete list of changes for VMware InstallBuilder 20.2:


  • Rebranded to VMware InstallBuilder
  • Improved timestamping error detection when signing macOS installers on non-macOS platforms
  • Prevent uninstaller from crashing when failing to check for empty directories because of lack of permissions