InstallShield Privilege Escalation Vulnerability in Standalone MSI Packages

A privilege escalation vulnerability has been identified in InstallShield versions 2023 R2, 2022 R2, and 2021 R2. The issue arises in standalone MSI setups that include multiple InstallScript custom actions. During the execution of these custom actions, a temporary directory is created to handle 64-bit redirections. However, due to an incorrect DLL search order, the process can reference already deleted temporary directories. This flaw allows a non-administrative user to recreate the directory, place a malicious DLL, and escalate privileges by having the InstallShield process load the tampered DLL.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing a user to gain elevated rights on the system.

Remediation

Users can upgrade to InstallShield 2024 R1, available for download in the Product and License Center, to address this vulnerability. This version enables a safe DLL search mode in EXE files, where applicable.