Microsoft Installer: Assassin or Assistant?

Greg Lambert
May 4, 2020
5 minutes

Many software products come packaged in MSI files. Microsoft Installer is a common tool for software developers to ship their products with because it allows them to perform a number of scripting tasks that will put files where they need to be and make sure that the user environment is ready to run the software without throwing any errors to the end-user. As large software products can be complex, with complicated manual installations, this is a huge benefit to everyone involved. 

Except when it isn’t. There are some issues with Microsoft Installer that can cause some real headaches for IT departments, sending labour costs through the roof and tanking productivity as teams scramble to get computers operational again.

In this post, we’ll talk about of the many ways that installations with Microsoft Installer can go wrong, why that is important and what Microsoft is doing about it, as well as present a solution for your already stressed IT department to work around these issues rather than having to avoid MSI packaged software entirely.

The current state of MS Installer

The recent number of updates to Microsoft Installer, some of which are detailed below, provide strong evidence that the software is open to vulnerabilities. This, of course, comes as no surprise to any IT manager who has already been hit by one of these problems. Package certificates have been stolen or hijacked, which allow the entire installation process of an MSI file to fall vulnerable and allow bad actors to hide malware inside the installer files. Once the installation process is hijacked, those bad actors can use the trusted nature of the software to install programs that you never realized you were authorizing. The backdoor applications can then get to work taking advantage of your systems.

To make matters worse, vendors often use outdated dependencies and security protocols. This is especially true for software that has not been updated by the developers recently. In those cases, your IT department not only has to worry whether or not the software will work with the latest updates to Windows, but whether it is hiding security vulnerabilities that could put your systems at risk.

Why is this important?

Without knowing it, companies all over the world are installing software that contains malicious intent. This could mean keyloggers, malware, embedded viruses, or out-dated certificates, all of which are threats to your digital security. In the intro, we mentioned the labour costs involved in resolving these issues, but costs can be the least of your concerns if one of your computers is infected with malicious code.

Keyloggers, for example, will know everything your employees are typing. The attacker will have proprietary information, passwords, and any other detail of your business that is entered into a keyboard by an employee. Malware and viruses could shut your computer systems down, ending productivity until the issue can be resolved and possible cost you valuable time and put you behind schedule. If your teams are already on a tight schedule this could be costly. It will be even more costly if it causes delays in customers receiving the products or services that they expect from you. Infected computers could end up spreading damage throughout the entire network, putting your company’s entire operation in danger.

While people are aware of the problem and want to address it, doing so isn’t quite so simple. The focus of developers is on the endpoints. The reception of the data and the installation of the file are often not the problems. The grey area before, after, or during, the installation is when these vulnerabilities are exploited.

Shoot the messenger

Microsoft Installer is one of the most trusted parts of the operating system. As the official means of installing software, users incorrectly assume that the tool is safe to use. Of course, this trust only creates a larger target on the software for malicious coders and increases its vulnerability to exploits. Microsoft recognizes the problem and is working to address it, but new exploits continue to crop up. Here are just a few of the recent fixes that the software giant has made to Installer:

  • CVE-2020-7260: DLL Side Loading vulnerability in the installer for McAfee Application and Change Control (MACC) prior to 8.3 allows local users to execute arbitrary code via execution from a compromised folder.
  • CVE-2019-5922: Untrusted search path vulnerability in The installer of Microsoft Teams allows an attacker to gain privileges via a Trojan horse DLL in an unspecified directory.
  • CVE-2019-1382: An elevation of privilege vulnerability exists when ActiveX Installer service may allow access to files without proper authentication, aka ‘Microsoft ActiveX Installer Service Elevation of Privilege Vulnerability’.
  • CVE-2019-1270: An elevation of privilege vulnerability exists in Windows store installer where WindowsApps directory is vulnerable to symbolic link attack, aka ‘Microsoft Windows Store Installer Elevation of Privilege Vulnerability’.
  • CVE-2020-0779:  An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files.

Readiness can help.

Readiness allows you to check your installations before you deploy them. When they are deployed, as with all virtualization technology, they are deployed in a way that separates them from the machine they run on. This alone will not solve all of the problems, but it will help prevent any malware from infecting other areas of the machine.

But Readiness does more than simply check installations and install software via virtualization. For example:

  • CVE Vulnerability Scan (match patch to package file/dependency)
  • Scan the package for viruses and malware
  • Validate all internal scripts, custom actions and code
  • Scan all embedded images, content and binaries
  • Scan for key logger code or scripts
  • Known vulnerability scan

Readiness will not only search the content of installer packages but analyse their intent as well. If they are going to do something suspicious, you’ll know before they have a chance to do it. After installation, Readiness maintains a continuous monitoring strategy for viruses, malware, and broken certificates.

One of the ways that an attack can be made on MS Installer is through dependencies that have security vulnerabilities. Readiness manages those dependencies to ensure that they have been updated to include the latest security patches.

When you combine these problems across the hundreds of applications that you install and maintain, the trouble compounds greatly. 

To learn more about how Readiness can take the pain away from managing large software installations, contact us today!

Greg Lambert

CEO, Product Evangelist
Greg Lambert is the CEO and product evangelist for Application Readiness Inc. Greg is a co-founder of ChangeBASE and has considerable experience with application packaging technology and its deployment.

Planning business modernization projects?

  • Windows 10/11 migration
  • MS server 2022
  • Migration to Azure

Is your application estate ready?

Assurance.

Unbounded.

3 months of patch protection, assessments and dependency reports for your entire portfolio.

  • No cost
  • No limit of applications
  • No software needed
  • No infrastructure required
  • No obligation
Contact us to get started