Just got an Email from Jason telling me about “a critical DLL preloading vulnerability affecting all versions of InstallAware”
I’m using an ancient ‘Codegear Special Edition’ (v7 r2)
The link he included in his email invites me to fork out almost 6 grand, although I guess you could cut it down to 2 grand, by removing the gold plating.
Any way to ‘just’ replace the offending DLL that anyone knows of?
I haven’t looked at this specific issue, but my guess is that it’s not that there’s a vulnerable DLL, but that the EXE file can be tricked into loading a malicious DLL file.
Depending on your needs, it may not be a simple solution, but have you looked at a free, open source installer such as InnoSetup?
Time to switch installers perhaps. Looking at their pricing and what it includes (no support unless you fork out 33% extra!) I’d take the time hit on learning a different tool.
If you don’t absolutely need an MSI installer, InnoSetup is free and very good.