Valid HTML 4.01 Transitional Valid CSS Valid SVG 1.0

Me, myself & IT

Executable installers considered harmful

Problems and Deficiencies
Mitigations for (end) users and (their) administrators
Mitigations for developers
Detect unsafe use of Temp directories
Detect vulnerable executables
Advantages of native installation packages


Executable installers as well as self-extracting executable archives (SFXs, typically seen on Microsoft® Windows® only) are braindead insanely stupid in concept and dangerous in practice!
They should be considered harmful and treated as unwanted programs malware!

Problems and Deficiencies

Executable installers exhibit the following problems and deficiencies which result in trivial to exploit weaknesses and vulnerabilities. Note: see the security advisories JVNTA#91240916 and JVN#91151862, published by JPCERT/CC, for (recent) examples, and the security alert published by IPA, for a second opinion.


Mitigations for (end) users and (their) administrators

Mitigations for developers

Detect unsafe use of Temp directories

Perform the following 4 steps to detect installers vulnerable to tampering in the Temp directories.
  1. Logon with the user account created during Windows Setup.

  2. Add the NTFS ACL entry (D;OIIO;WP;;;WD) meaning deny execution of files in this directory for everyone, inheritable to all files in all subdirectories to the Temp directory %TMP%\ of your user account and to the system’s Temp directory %SystemRoot%\Temp\.

  3. Execute any installer to test; it is vulnerable, at least to denial of service, if it fails with Win32 error 5 alias ERROR_ACCESS_DENIED for a file from one of the Temp directories: the file inherited the NTFS ACL from the parent Temp directory which allows full access for the file’s owner.
    In standard installations of Windows the unprivileged user can tamper with those files; if an installer runs elevated, this vulnerability typically results in privilege escalation.

    Note: according to numbers published by Microsoft in their Security Intelligence Reports, about ½ to ¾ of all (some 600 million) Windows NT installations engaged in their malware telemetry reported only a single active user account.

  4. Fix the vulnerable installers and retest them!

Detect vulnerable executables

Perform the following 9 steps to detect executables vulnerable to DLL hijacking, using only tools available in every installation of Windows Vista and newer versions of Windows NT.
  1. Create an UAC-enabled protected administrator test account (or use the user account created during Windows Setup).

  2. Create an empty file %SystemRoot%\Debug\SAFER.log, grant your test account at least append data permission to it, then remove the permissions for all other accounts.

  3. Create the following Registry entries to enable Software Restriction Policies, without restrictions, with advanced logging, for all users, for all executable files and DLLs:

    ; Copyright © 2005-2020, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>
    "DefaultLevel"=dword:00040000                 ; 'Unrestricted'
    "Levels"=dword:00071000                       ; Enable all security levels
    "PolicyScope"=dword:00000000                  ; Apply to 'Users' and 'Administrators'
    "TransparentEnabled"=dword:00000002           ; Apply to executable files and DLLs
    Note: Win32 applications and DLLs are subject to Software Restriction Policies independent of their file extension!
  4. Logoff, then logon with your test account.

  5. Create an empty directory (or use the existing directory %USERPROFILE%\Downloads\).

  6. Start the Command Processor in the choosen (empty) directory and run the following command line to create hardlinks to all system DLLs found in the search path in it:

    For %! In ("%PATH:;=" "%") Do For %? In ("%~!\*.ACM"
                                             "%~!\*.TSP") Do If Not Exist "%~nx?" MkLink /H "%~nx?" "%?"
    Note: the Command Processor and its builtin MkLink command have to be run under the NT AUTHORITY\SYSTEM alias LocalSystem account!
  7. Copy your executables into this directory and execute them per double-click.

  8. Determine the DLLs your executables loaded from their application directory by running the following command line in the still open command prompt:

    "%SystemRoot%\System32\Find.exe" /I "%CD%\" "%SystemRoot%\Debug\SAFER.log"
  9. Fix the vulnerable executables and retest them!


Download the executable installers 7z1602.exe and 7z1602-x64.exe, save them in the prepared directory %USERPROFILE%\Downloads\ and execute them just until they display their first dialog box which prompts for the target directory: Note: on all supported versions of Windows NT, UXTheme.dll is loaded from the program’s application directory %USERPROFILE%\Downloads\ instead Windows’ system directory %SystemRoot%\System32\ alias %SystemRoot%\SysWoW64\ respectively, resulting in an LCE vulnerability.
Note: on Windows Vista and newer versions of Windows NT, 7z1602.exe and 7z1602-x64.exe request administrative privileges via their embedded application manifest, resulting in an additional EoP vulnerability!

Advantages of native installation packages

In contrast to executable installers, native installation packages for the operating system’s package manager exhibit the following advantages. The point is: well-known package formats allow you to inspect things, binary executables generally don’t.
In more detail:
  1. It’s not a vulnerability, but a weakness and (design) bug in the first place: there is no need to execute (potentially malicious) programs from (potentially) untrusted sources or with questionable (unknown or even malicious) contents to install software.
    This weakness turns into a vulnerability, if

  2. Binary executables are generally opaque: you can’t tell what they actually do unless you have their source (and built them yourself in a trusted environment), or until you reverse engineer them completely.
    In case of installers, you need the sources of the installer (plus its unpacker), the sources of the creator and the sources of the script used to build the final binary executable.

  3. The format of these packages is well-known and documented, they can be unpacked and their contents as well as their instructions/scripts read and inspected.
    The tools to create/build, edit/modify, unpack and even rebuild them are typically part of the OS’s package manager or provided as part of the OS’s SDK.

Always use the target platforms native package or archive formats to distribute your software or files!
The problem are the morons who build binary executables to install software (or just unpack some files) and hand these binary executables to unsuspecting and unskilled users, expecting them to actually execute them.
This really nasty behaviour of almost all developers/companies out there trained users to execute almost anything they get their hands on.
The solution for this is simple: � � � � � � �


If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

Copyright © 1995–2020 • Stefan Kanthak • <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>