InstallBuilder 20.7.0 has been released. In addition to minor fixes, it updates internal dependencies and how they are loaded on Windows systems. These improvements solve an internal security vulnerability (more details to follow) so updating to this version is encouraged for all users, especially Qt users.
Here is the complete changelog for the release:
- Improved internal dependencies loading on Windows
- Log uninstaller exit code
- Updated internal dependencies on Windows x86
- Fixed <userTest> account type checks not properly working on Windows x64
- Fixed <runProgram> failing to run inside internationalised directory wen using <wrapInScript> on Windows
- Fixed Qt installers looking for plugins by default at install time
We have created a CVE entry (CVE-2020-3979) for the "Fixed Qt installers looking for plugins by default at install time"
issue fixed in InstallBuilder 20.7.0.
DLL planting vulnerability on InstallBuilder for Qt Windows installers
InstallBuilder for Qt Windows installers are vulnerable to dll planting attacks.
InstallBuilder for Qt Windows installers look for plugins at a predictable location at initialization time, writable by non-admin users. While those plugins are not required, they are loaded if present, which could allow an attacker to plant a malicious library which could result in code execution with the security scope of the installer. The attack requires previous access to the machine to be able to plant the malicious library at some point before the vulnerable installer is executed.
Affected InstallBuilder for Qt customers should update to InstallBuilder 20.7.0 or later and release new versions.
We would like to thank Hou JingYi (@hjy79425575) of Qihoo 360 CERT (https://houjingyi233.com/) for reporting the issue to us.