Me, myself & IT

Executable Installers Considered Harmful

Motivation
Problems and Deficiencies
Mitigations: Mitigations for (end) users and (their) administrators; Mitigations for developers
Detect unsafe use of Temp directories: Example
Detect vulnerable executables: Example 1 (continued); Example 2; Example 3
Advantages of native installation packages

Motivation

Executable installers as well as self-extracting executable archives (SFXs, typically seen on Microsoft^® Windows^™ only) are ~~braindead~~ insanely stupid in concept and dangerous in practise!
They should be considered harmful and treated as ~~unwanted programs~~ malware!

Problems and Deficiencies

Executable installers exhibit the following problems and deficiencies which result in trivial to exploit weaknesses and vulnerabilities.

Giving executables to ~~normal~~ unsuspecting and untrained users to install software or to unpack archives, and expecting or urging them to run executables trains them to execute almost anything they get their hands on.
Users
- who are used or trained to download and run executables from trustable sources will probably also (download and) run executables from (potentially) untrustable, untrusted or even malicious sources (like attachments from malspam or phishing emails) too!
- tend to or are even instructed to run executables in unsafe environments like their Downloads or Desktop directory.
In the long run this practise will most likely let those users fall prey to malware embedded or hidden in one of these executables, or lurking in their Desktop, Downloads or Temp directory, …!
Executables run from the Downloads or Desktop directory as well as (unsafe) Temp directories may load and execute bogus or rogue DLLs and programs found there by accident or placed there deliberately by an attacker, resulting in arbitrary code execution and even escalation of privilege:
Windows executables are ~~typically~~ almost always built using simple filenames in references to their load-time dependencies, and runtime dependencies seldom use absolute (fully qualified) pathnames, despite the instructions given in the MSDN articles Dynamic-Link Library Security and Dynamic-Link Library Search Order, the Security Advisory 2269637, plus the MSKB articles 2389418 and 2533623.
The resulting well-known and well-documented weaknesses are listed as CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE^™.
The well-known and well-documented attacks on these weaknesses are known as carpet bombing, directory poisoning and binary planting, typically conducted per drive-by download.
They are listed as CAPEC-471: Search Order Hijacking in the CAPEC^™.
Executable installers typically unpack files into unprotected and unsafe Temp directories and process or run them from there, allowing (unprivileged) users to tamper with these files.
The resulting well-known and well-documented weaknesses are listed as CWE-73: External Control of File Name or Path, CWE-377: Insecure Temporary File, CWE-378: Creation of Temporary File With Insecure Permissions and CWE-379: Creation of Temporary File in Directory with Incorrect Permissions in the CWE^™.
Typical attacks are listed as CAPEC-13: Subverting Environment Variable Values, CAPEC-27: Leveraging Race Conditions via Symbolic Links and CAPEC-29: Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions in the CAPEC^™.
Executable installers are typically run with administrative privileges and access rights:
due to an Application Manifest embedded in the executable or its installer detection Windows’ UAC requests privilege elevation, protected administrators are prompted for consent and standard users for the password of an administrator account!
One of the common misconceptions about UAC and about Same-desktop Elevation in particular is that it prevents malware from being installed or from gaining administrative rights. First, malware can be written not to require administrative rights, and malware can be written to write just to areas in the user’s profile. More important, Same-desktop Elevation in UAC is not a security boundary and can be hijacked by unprivileged software that runs on the same desktop. Same-desktop Elevation should be considered a convenience feature, and from a security perspective, "Protected Administrator" should be considered the equivalent of "Administrator." By contrast, using Fast User Switching to log on to a different session by using an administrator account involves a security boundary between the administrator account and the standard user session.
There is generally no need to build, distribute, deploy or use executables to install software or unpack archives:
all current operating systems come with their own package installer or package manager and their own (un)archiver or (un)packer.
Vendors and developers
- who build software or distribute files for a specific operating system should know their target platform well enough to use its native installation package or archive format(s);
- must not expect or request that users or their administrators install 3rd party tools (as precondition or prerequisite) to install their software or unpack their archives;
- should work for the respective target platform and their customers, not against both of them, and should always use the native format(s) of the target platform.
There is especially no need to wrap an installation package or an archive into an executable:
all operating systems, their user interfaces or shells respectively handle their native installation package and archive format(s) directly.
There are no unpackers for most of the executable installers:
it’s almost always impossible to determine or extract the contents or payload of an executable installer, and thus not possible to inspect the contents or payload itself.
Some executable installers allow to extract their payload, but they have to be executed for this purpose too, so this option gains nothing. In many cases the executable is just an unpacker which extracts its payload, another (the real) installer … back to start again.
There are no disassemblers or decompilers for most of the executable installers and their embedded installation scripts:
it’s almost always impossible to determine (exactly) what an (unknown) executable does, and it’s generally impossible to determine whether it’s benign or malicious.
…:
some self-extracting executable archives allow to list the instructions they execute after extraction of their payload, but they have to be executed for this purpose too, so this option gains nothing.
…:
almost all executable installers provide no means to list the instructions or actions they perform during installation or their embedded installation scripts beforehand.
Executable installers and self-extracting executable archives are not usable in locked-down environments where users don’t have the permissions or rights to execute arbitrary files and programs, but may run only white-listed applications and programs:
some users will waste their time to get access to the contents of such executables and might even try to circumvent the policies or restrictions which prevent them from running arbitrary executables.

Note: see the security advisories JVNTA#91240916 and JVN#91151862, published by JPCERT/CC, for (recent) examples, and the security alert published by IPA, for a second opinion.

Mitigations

Mitigations for (end) users and (their) administrators

Don’t use executable installers and self-extractors!
Never run executables from untrusted directories!
Don’t run executables from Downloads and Temp directories!
Deny execution in all Downloads and all Temp directories via
- NTFS ACL entry (D;OIIO;WP;;;WD) meaning deny execution of files in this directory for everyone, inheritable to all files in all subdirectories �
- SAFER alias Software Restriction Policies �
- AppLocker �
- Device Guard �
- Windows Defender Application Guard �
Note: these mitigations implement the equivalent of DEP or W^X respectively in the file system.

Disable privilege elevation for standard users and installer detection for all users, as documented in the TechNet article UAC Group Policy Settings and Registry Key Settings:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorUser"=dword:00000000 ; Automatically deny elevation requests
"EnableInstallerDetection"=dword:00000000

Remove the user accounts created during Windows NT setup from the BUILTIN\Administrators group and place them in the BUILTIN\Users group, i.e. demote these user accounts from Administrator to Standard User.
Note: run one of the equivalent command lines
```
"%SystemRoot%\System32\Control.exe" UserPasswords2
"%SystemRoot%\System32\NetPlWiz.exe"
"%SystemRoot%\System32\RunDLL32.exe" "%SystemRoot%\System32\NetPlWiz.dll",UsersRunDll
```
with administrative privileges to perform this operation via GUI, or run the two command lines
```
"%SystemRoot%\System32\Net.exe" LOCALGROUP Administrators "‹account name›" /Delete
"%SystemRoot%\System32\Net.exe" LOCALGROUP Users "‹account name›" /Add
```
with administrative privileges to perform this operation via CLI.
Caveat: don’t forget to enable the builtin Administrator account!
Run the command line
```
"%SystemRoot%\System32\Net.exe" USER Administrator /Active:Yes /PasswordReq:Yes
```
with administrative privileges to enable it.
Caveat: don’t forget to set a (strong) password for the builtin Administrator account!
~~Ask~~ Urge the developer(s) and vendor(s) of your software to call the Win32 function SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32) in their executable installer(s) (and all other programs which are typically run in unsafe environments like a user’s Downloads directory) to remove the application directory as well as the CWD alias . from the DLL search path.
Caveat: on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2, you have to install the ~~optional update 2533623 (available per Windows Update)~~ security update MS12-081 alias 2758857 (or any newer update that supersedes it) to make this backported Win32 function available!
Caveat: this mitigation fixes the beginner’s error only for runtime dependencies, but not for load-time dependencies!
~~Ask~~ Urge the developer(s) and vendor(s) of your software to call the Win32 function SetDllDirectory("") in their executable installer(s) (and all other programs which are typically run in unsafe environments like a user’s Downloads directory) to remove the CWD alias . from the DLL search path.
Install the ~~optional update 2264107 (available per Windows Update)~~ security updates MS11-011 alias 2393802 and MS15-008 alias 3019215 (or any newer updates that supersede them) and create the Registry entry
```
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"CWDIllegalInDLLSearch"=dword:ffffffff
```
to remove the CWD alias . from the DLL search path.
Verify that an external application manifest doesn’t override an embedded application manifest via the Registry entry
```
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide]
"PreferExternalManifest"=dword:00000000
```
Note: in Windows XP and Windows Server 2003 this Registry entry defaulted to 1; as documented in the MSKB article 912949 the default was changed with Windows Server 2003 SP1.
In Windows Server 2003 R2 and newer versions of Windows NT it defaults to 0.

Mitigations for developers

Don’t build executable installers and self-extractors!
Create (temporary) files and directories with proper protection: provide a Security Descriptor which prevents tampering in all calls of the Win32 functions CreateFile(), CreateFileTransacted(), CreateDirectory(), CreateDirectoryEx() and CreateDirectoryTransacted() if necessary.
Follow the instructions given in the MSDN articles Dynamic-Link Library Security and Dynamic-Link Library Search Order, the Security Advisory 2269637, plus the MSKB articles 2389418 and 2533623:
always use absolute (fully qualified) pathnames in all calls of the Win32 functions LoadLibrary(), LoadLibraryEx() and LoadPackagedLibrary(), CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() and CreateProcessWithTokenW(), ShellExecute() and ShellExecuteEx(), as well as LoadModule() and WinExec()!
Use lpApplicationName in all calls of the Win32 functions CreateProcess(), CreateProcessAsUser(), CreateProcessWithLogonW() and CreateProcessWithTokenW().
Replace all calls of the Win32 function LoadLibrary() which use an absolute (fully qualified) pathname with calls of the Win32 function LoadLibraryEx() and specify the flag LOAD_WITH_ALTERED_SEARCH_PATH:
this replaces the application directory with the directory of the just loading executable module in the search order during these calls.
Caveat: this fails with some (indirect) load-time dependencies!
Replace all calls of the Win32 function LoadLibrary() which load DLLs from Windows’ system directory %SystemRoot%\System32\ with calls of the Win32 function LoadLibraryEx() and specify the flag LOAD_LIBRARY_SEARCH_SYSTEM32.
Caveat: this fails with some (indirect) load-time dependencies!
Caveat: on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2, your customers have to install the ~~optional update 2533623 (available per Windows Update)~~ security update MS12-081 alias 2758857 (or any newer update that supersedes it) to make the backported flag LOAD_LIBRARY_SEARCH_SYSTEM32 available!
Use the flag LOAD_LIBRARY_SEARCH_SYSTEM32 in all calls of the Win32 function LoadLibraryEx() when loading DLLs from Windows’ system directory or when loading DLLs which are linked to DLLs from Windows’ system directory only.
Caveat: this fails with some (indirect) load-time dependencies!
Caveat: on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2, your customers have to install the ~~optional update 2533623 (available per Windows Update)~~ security update MS12-081 alias 2758857 (or any newer update that supersedes it) to make the backported flag LOAD_LIBRARY_SEARCH_SYSTEM32 available!
Use the /DEPENDENTLOADFLAG:‹…› option of LINK.EXE and specify only the absolutely necessary combination of flags LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR, LOAD_LIBRARY_SEARCH_APPLICATION_DIR, LOAD_LIBRARY_SEARCH_USER_DIRS, LOAD_LIBRARY_SEARCH_SYSTEM32 and LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS to restrict the search order for dependent DLLs as much as possible.
Caveat: this setting is supported on Windows 10 1607 alias Anniversary Update (codenamed Redstone 1) and newer versions of Windows NT, and applies only to ~~runtime dependencies and calls of the Win32 function LoadLibrary()~~ load-time dependencies!
Note: the MSKB article 3126593 provides details for the Safe Load List used with the LOAD_LIBRARY_SEARCH_SAFE_CURRENT_DIRS flag.

Create a load-time dependency to the Win32 function SetDefaultDllDirectories() in all your executable( installer)s and call it with the argument LOAD_LIBRARY_SEARCH_SYSTEM32 to remove the application directory and the CWD alias . from the DLL search path.

Caveat: this fixes the beginner’s error only for runtime dependencies, but not for load-time dependencies!
Caveat: on Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2, your customers have to install the ~~optional update 2533623 (available per Windows Update)~~ security update MS12-081 alias 2758857 (or any newer update that supersedes it) to make this backported Win32 function available!

Note: the load-time dependency to the Win32 function SetDefaultDllDirectories() is safe, it is imported from Kernel32.dll, which is one of the known DLLs.
Note: if the Windows SDK you use has no support for this Win32 function, create the missing header file and the missing import library from scratch!

Create the text file _2533623.C with the following content:

// Copyleft © 2011-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

__declspec(dllexport)
void *	AddDllDirectory(void *_1)
{ return 0; }

__declspec(dllexport)
int	RemoveDllDirectory(void *_1)
{ return 0; }

__declspec(dllexport)
int	SetDefaultDllDirectories(long _1)
{ return 0; }

Run the following three command lines to build the import library _2533623.LIB from the file _2533623.C created in step 1. and cleanup afterwards:

CL.EXE /c /Gz /Tc_2533623.C /wd4100 /Zl
LINK.EXE /LIB /DEF /EXPORT:AddDllDirectory /EXPORT:RemoveDllDirectory /EXPORT:SetDefaultDllDirectories /NAME:KERNEL32 /NODEFAULTLIB _2533623.OBJ
ERASE _2533623.C _2533623.EXP _2533623.OBJ

For details and reference see the MSDN articles Compiler Options and Linker Options.

Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

Note: the command lines can be copied and pasted as block into a Command Processor window.

Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

_2533623.C

Microsoft (R) Library Manager Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

   Creating library _2533623.lib and object _2533623.exp

Create the text file _2533623.H with the following content:

// Copyleft © 2011-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

#pragma once
#pragma comment(linker, "/DEFAULTLIB:_2533623.LIB")

// see <https://msdn.microsoft.com/en-us/library/ms684179.aspx>
// and <https://msdn.microsoft.com/en-us/library/hh310515.aspx>

#define LOAD_LIBRARY_SEARCH_DLL_LOAD_DIR	0x00000100UL
#define LOAD_LIBRARY_SEARCH_APPLICATION_DIR	0x00000200UL
#define LOAD_LIBRARY_SEARCH_USER_DIRS		0x00000400UL
#define LOAD_LIBRARY_SEARCH_SYSTEM32		0x00000800UL
#define LOAD_LIBRARY_SEARCH_DEFAULT_DIRS	0x00001000UL

typedef	LPVOID	DLL_DIRECTORY_COOKIE;

// see <https://msdn.microsoft.com/en-us/library/hh310513.aspx>

__declspec(dllimport)
DLL_DIRECTORY_COOKIE	WINAPI	AddDllDirectory(LPCWSTR NewDirectory);

// see <https://msdn.microsoft.com/en-us/library/hh310514.aspx>

__declspec(dllimport)
BOOL	WINAPI	RemoveDllDirectory(DLL_DIRECTORY_COOKIE Cookie);

// see <https://msdn.microsoft.com/en-us/library/hh310515.aspx>

__declspec(dllimport)
BOOL	WINAPI	SetDefaultDllDirectories(DWORD DirectoryFlags);

Add the following lines where necessary to your source files and rebuild your projects:
```
#include "_2533623.H"
…
if (!SetDefaultDllDirectories(LOAD_LIBRARY_SEARCH_SYSTEM32))
	…
```

Create a load-time dependency to the Win32 function SetDllDirectory() in all your executable( installer)s and call it with an empty string to remove the CWD alias . from the DLL search path.
Note: the load-time dependency to the Win32 function SetDllDirectory() is safe, it is imported from Kernel32.dll, which is one of the known DLLs.
If you can’t remove the CWD alias . from the DLL search path using one of the functions named above, create a load-time dependency to the Win32 function SetSearchPathMode() in all your executable( installer)s and call it with the argument BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE | BASE_SEARCH_PATH_PERMANENT to enforce the safe search path mode.
Note: on Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008, this function was added with the security update MS09-015 alias 959426.
Note: the load-time dependency to the Win32 function SetSearchPathMode() is safe, it is imported from Kernel32.dll, which is one of the known DLLs.
Note: if the Windows SDK you use has no support for this Win32 function, create the missing header file and the missing import library from scratch!
1. Create the text file _959426.C with the following content:
```
// Copyleft © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

__declspec(dllexport)
int	SetSearchPathMode(long _1)
{ return 0; }
```
2. Run the following three command lines to build the import library _959426.LIB from the file _959426.C created in step 1. and cleanup afterwards:
```
CL.EXE /c /Gz /Tc_959426.C /wd4100 /Zl
LINK.EXE /LIB /DEF /EXPORT:SetSearchPathMode /NAME:KERNEL32 /NODEFAULTLIB _959426.OBJ
ERASE _959426.C _959426.EXP _959426.OBJ
```
  For details and reference see the MSDN articles Compiler Options and Linker Options.
  Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.
  Note: the command lines can be copied and pasted as block into a Command Processor window.
```
Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

_959426.C

Microsoft (R) Library Manager Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

   Creating library _959426.lib and object _959426.exp
```
3. Create the text file _959426.H with the following content:
```
// Copyleft © 2009-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

#pragma once
#pragma comment(linker, "/DEFAULTLIB:_959426.LIB")

// see <https://msdn.microsoft.com/en-us/library/dd266735.aspx>

#define BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE		0x00000001UL
#define BASE_SEARCH_PATH_DISABLE_SAFE_SEARCHMODE	0x00010000UL
#define BASE_SEARCH_PATH_PERMANENT			0x00008000UL

__declspec(dllimport)
BOOL	WINAPI	SetSearchPathMode(DWORD Flags);
```
4. Add the following lines where necessary to your source files and rebuild your projects:
```
#include "_959426.H"
…
if (!SetSearchPathMode(BASE_SEARCH_PATH_ENABLE_SAFE_SEARCHMODE | BASE_SEARCH_PATH_PERMANENT))
	…
```
Embed an application manifest in all your executable( installer)s to disable DLL redirection via
- an external application manifest ‹filename›.‹extension›.Manifest,
- a file ‹filename›.‹extension›.Local,
- a subdirectory ‹filename›.‹extension›.Local\,
- a junction ‹filename›.‹extension›.Local,
- a symbolic link ‹filename›.‹extension›.Local.

Specify all dependents with their absolute (fully qualified) pathname in the embedded application manifest of all your executable( installer)s and DLLs:

<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
          manifestVersion="1.0">
    …
    <file name="‹filename›.‹extension›"
          loadFrom="%SystemRoot%\System32\‹filename›.‹extension›" />
    …
</assembly>

Caveat: the loadFrom attribute of the file element is not documented by Microsoft!

Detect unsafe use of Temp directories

Perform the following 6 steps to detect installers vulnerable to tampering in or with the Temp directories.

Log on to the user account created during Windows Setup.
Add the NTFS ACL entry (D;OIIO;WP;;;WD) meaning deny execution of files in this directory for everyone, inheritable to all files in all subdirectories to the Temp directory %TMP%\ alias %USERPROFILE%\AppData\Local\Temp\ of your user account and to the system’s Temp directory %SystemRoot%\Temp\ as well.
Execute any installer to test; it is vulnerable, at least to denial of service, if it fails with Win32 error 5 alias ERROR_ACCESS_DENIED for a file from one of the Temp directories: the file inherited the NTFS ACL from the parent Temp directory which allows full access for the file’s owner.
In standard installations of Windows the unprivileged user can tamper with those files; if an installer runs elevated, this vulnerability typically results in escalation of privilege.
Note: according to numbers published by Microsoft in their Security Intelligence Reports, about ½ to ¾ of all (some 600 million) Windows NT installations engaged in their malware telemetry reported only a single active user account.
Set the environment variable TMP to a value like %USERPROFILE%\AppData\Local\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp\..\Temp or NUL:, an inaccessible or invalid path, …
Execute any installer to test; if it fails it is vulnerable at least to denial of service.
Fix the vulnerable installers and retest them!

Example

Perform the following 7 steps to demonstrate an example of unsafe use of the Temp directory.

Download the executable installers Firefox Setup 72.0.exe or Firefox Setup 72.0.exe and Thunderbird Setup 68.4.1.exe or Thunderbird Setup 68.4.1.exe and save them in your Downloads directory.
Note: the installers for the 64-bit versions of Mozilla Firefox and Mozilla Thunderbird are 32-bit executables!

Start the Command Processor and run the following (block of) command lines to determine build date and version of the self-extractors from their embedded digital signature and application manifest:

CHDIR /D "%USERPROFILE%\Downloads"
SIGNTOOL.EXE Verify /PA /V "Firefox Setup 72.0.exe" "Thunderbird Setup 68.4.1.exe"
FINDSTR.EXE /C:"</description>" /E "Firefox Setup 72.0.exe" "Thunderbird Setup 68.4.1.exe"

Verifying: Firefox Setup 72.0.exe
Hash of file (sha1): 211D855ABF1E417EDC09484E1AE1CCDC5C414576

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 13:00:00 2028
        SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

            Issued to: Mozilla Corporation
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Thu Jun 04 13:00:00 2020
            SHA1 hash: 74B2E146A82F2B71F8EB4B13EBBB6F951757D8C2

The signature is timestamped: Fri Jan 03 19:30:07 2020
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 01:00:00 2021
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Tue Oct 22 01:00:00 2024
            SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D

Successfully verified: Firefox Setup 72.0.exe

Verifying: Thunderbird Setup 68.4.1.exe
Hash of file (sha1): 8E952BD4116F5A0CFC42F80FC76F903EF5593E14

Signing Certificate Chain:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert SHA2 Assured ID Code Signing CA
        Issued by: DigiCert Assured ID Root CA
        Expires:   Sun Oct 22 13:00:00 2028
        SHA1 hash: 92C1588E85AF2201CE7915E8538B492F605B80C6

            Issued to: Mozilla Corporation
            Issued by: DigiCert SHA2 Assured ID Code Signing CA
            Expires:   Thu Jun 04 13:00:00 2020
            SHA1 hash: 74B2E146A82F2B71F8EB4B13EBBB6F951757D8C2

The signature is timestamped: Thu Jan 09 01:02:31 2020
Timestamp Verified by:
    Issued to: DigiCert Assured ID Root CA
    Issued by: DigiCert Assured ID Root CA
    Expires:   Mon Nov 10 01:00:00 2031
    SHA1 hash: 0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43

        Issued to: DigiCert Assured ID CA-1
        Issued by: DigiCert Assured ID Root CA
        Expires:   Wed Nov 10 01:00:00 2021
        SHA1 hash: 19A09B5A36F4DD99727DF783C17A51231A56C117

            Issued to: DigiCert Timestamp Responder
            Issued by: DigiCert Assured ID CA-1
            Expires:   Tue Oct 22 01:00:00 2024
            SHA1 hash: 614D271D9102E30169822487FDE5DE00A352B01D

Successfully verified: Thunderbird Setup 68.4.1.exe

Number of files successfully Verified: 1
Number of warnings: 0
Number of errors: 0

Firefox Setup 72.0.exe:<description>7-Zip Self-extracting Archive v18.05</description>
Thunderbird Setup 68.4.1.exe:<description>7-Zip Self-extracting Archive v18.05</description>

Note: if you don’t have SignTool.exe installed, perform a right-click on the files Mozilla Firefox 72.0.exe and Mozilla Thunderbird 68.4.1.exe in Windows Explorer to display their context menu, then click Properties and switch to the Digital Signatures tab to view their digital signatures.

Note: despite that Windows 7 supports digital signatures using SHA-2 since many years (update 2949927 was published October 14, 2014, update 3033929 was published March 10, 2015, and security update 3123479 was published January 12, 2016), although Microsoft advises third parties to switch to digital signatures using SHA-2 also since many years and abandoned digital signatures using only SHA-1 in 2019, Mozilla but doesn’t follow best practise and demonstrates ongoing ignorance with digital signatures using only SHA-1.

Ouch¹: Mozilla builds their crap with the superseded, unsupported and ~~possibly~~ definitively vulnerable version 18.05 of 7-Zip, released April 30, 2018; as shown by their digital signature, Mozilla Firefox 72.0.exe was built January 3, 2020, and Mozilla Thunderbird 68.4.1.exe was built January 6, 2020, when 7-Zip 19.00, released February 21, 2019, was but the current version!

Run the following (block of) command lines to modify the NTFS ACL of your Temp directory to deny execution of files beyond it, change its path temporarily and execute both self-extractors:
```
ICACLS.EXE "%TMP%" /Deny *S-1-1-0:(IO)(OI)(X)
".\Firefox Setup 72.0.exe"
SET TMP=NUL:
".\Thunderbird Setup 68.4.1.exe"
SET TMP=%TEMP%
```
```
processed file: C:\Users\Stefan\AppData\Local\Temp
Successfully processed 1 files; Failed processing 0 files
```
Note: don’t close both error message boxes yet!
Note: if you are a user of Mozilla’s crap, submit not just bug reports for the vulnerabilities as well as the use of deprecated cryptography and unsupported third party code, but also for the missing pathname in both error message boxes!

Run the following (block of) command lines to list the directories and files extracted to your Temp directory as well as their permissions:

FOR /D %? IN ("%TMP%\7zS*") DO @(
DIR "%~?" /A
ICACLS.EXE "%~?"
ICACLS.EXE "%~?\setup.exe")

 Volume in drive C: has no label.
 Volume Serial Number is 1957-0427

 Directory of C:\Users\Stefan\AppData\Local\Temp\7zS8AEFD15E

01/09/2020  08:15 PM    <DIR>             .
01/09/2020  08:15 PM    <DIR>             ..
01/03/2020  07:26 PM    <DIR>             core
01/03/2020  07:26 PM           758,344 setup.exe
               1 File(s)        758,344 bytes
               3 Dir(s)    9,876,543,210 bytes free

C:\Users\Stefan\AppData\Local\Temp\7zS8AEFD15E Everyone:(I)(OI)(IO)(DENY)(S,X)
                                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                                               AMNESIAC\Stefan:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Users\Stefan\AppData\Local\Temp\7zS8AEFD15E\setup.exe Everyone:(I)(OI)(IO)(DENY)(S,X)
                                                         NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                                         BUILTIN\Administrators:(I)(OI)(CI)(F)
                                                         AMNESIAC\Stefan:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

Ouch²: the self-extractor fails to create (sub)directories and extracted files with proper permissions, it is vulnerable to a denial of service!

Ouch³: the self-extractor also fails to verify that the value of the environment variable TMP is the pathname of an existing directory (really: that the Win32 function GetTempPath() returns the pathname of an existing directory) and that creation of its own (sub)directory %TMP%\7zS‹random›\ as well as creation of the extracted files and directories succeeds (really: that the Win32 functions CreateFile() and CreateDirectory() return success), it is vulnerable to a second denial of service!

Note: the CWE^™ lists the demonstrated weaknesses as CWE-377: Insecure Temporary File, CWE-378: Creation of Temporary File With Insecure Permissions, CWE-379: Creation of Temporary File in Directory with Incorrect Permissions and CWE-67: Improper Handling of Windows Device Names.

Note: such beginner’s errors are an epic failure!

Run the following (block of) command lines to copy the extracted setup.exe to your Downloads directory, determine its version from the embedded application manifest, and execute it there:
```
FOR /D %? IN ("%TMP%\7zS*") DO @COPY "%~?\setup.exe"
FINDSTR.EXE /C:"<?xml version=" setup.exe
.\setup.exe
```
```
        1 File(s) copied.
[…]<description>Nullsoft Install System v3.01</description>[…]
```
Ouch⁴: Mozilla builds their crap with the superseded, unsupported and ~~possibly~~ definitively vulnerable version 3.01 of the Nullsoft Install System, released December 11, 2016; the version available when the executable installers were built was but 3.05, released December 15, 2019!
Ouch⁵: setup.exe is actually running on Microsoft Windows 7, but likes to play games with its unsuspecting users!
Note: don’t close this bogus error message box yet!

Run the following (block of) command lines to determine the cause for the bogus error message:

FOR /D %? IN ("%TMP%\ns*.tmp") DO @(
DIR "%~?" /A
ICACLS.EXE "%~?" /T)

 Volume in drive C: has no label.
 Volume Serial Number is 1957-0427

 Directory of C:\Users\Stefan\AppData\Local\Temp\nsa3931.tmp

01/09/2020  08:15 PM    <DIR>             .
01/09/2020  08:15 PM    <DIR>             ..
01/09/2020  08:15 PM            11,776 System.dll
               1 File(s)         11,776 bytes
               2 Dir(s)    9,876,543,210 bytes free

C:\Users\Stefan\AppData\Local\Temp\nsa3931.tmp Everyone:(I)(OI)(IO)(DENY)(S,X)
                                               NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                               BUILTIN\Administrators:(I)(OI)(CI)(F)
                                               AMNESIAC\Stefan:(I)(OI)(CI)(F)

C:\Users\Stefan\AppData\Local\Temp\nsa3931.tmp\System.dll Everyone:(I)(DENY)(S,X)
                                                          NT AUTHORITY\SYSTEM:(I)(F)
                                                          BUILTIN\Administrators:(I)(F)
                                                          AMNESIAC\Stefan:(I)(F)

Successfully processed 2 files; Failed processing 0 files

Ouch⁶: setup.exe too (ab)uses the Temp directory to create a subdirectory and extract executable files, but fails to create them with proper permissions!

Finally close all error message boxes and run the following command line to restore the previous NTFS ACL of your Temp directory:

ICACLS.EXE "%TMP%" /Remove:d *S-1-1-0

processed file: C:\Users\Stefan\AppData\Local\Temp
Successfully processed 1 files; Failed processing 0 files

Detect vulnerable executables

Perform the following 9 steps to detect executables vulnerable to DLL hijacking, using only tools available in every installation of Windows Vista and newer versions of Windows NT.

Create an UAC-enabled protected administrator test account (or use the user account created during Windows Setup).
Create an empty file %SystemRoot%\Debug\SAFER.log, grant your test account at least append data permission to it, then remove the permissions for all other accounts.

Create the following Registry entries to enable Software Restriction Policies, without restrictions, with advanced logging, for all users, for all executable files and DLLs:

REGEDIT4

; Copyright © 2005-2024, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"AuthentiCodeEnabled"=dword:00000000
"DefaultLevel"=dword:00040000                 ; 'Unrestricted'
;"ExecutableTypes"=multi:
"Levels"=dword:00071000                       ; Enable all security levels
"LogFileName"="C:\\Windows\\Debug\\SAFER.log"
"PolicyScope"=dword:00000000                  ; Apply to 'Users' and 'Administrators'
"TransparentEnabled"=dword:00000002           ; Apply to executable files and DLLs

Note: Win32 applications and DLLs are subject to Software Restriction Policies independent of their file extension!

Logoff, then logon with your test account.
Create an empty directory (or use the existing directory %USERPROFILE%\Downloads\).

Start the Command Processor in the chosen (empty) directory and run the following command line to create hardlinks to all ~~system~~ DLLs found in the search path in it:

FOR %! IN ("%PATH:;=" "%") DO FOR %? IN ("%~!\*.ACM"
                                         "%~!\*.AX"
                                         "%~!\*.CPL"
                                         "%~!\*.DLL"
                                         "%~!\*.DRV"
                                         "%~!\*.OCX"
                                         "%~!\*.IEC"
                                         "%~!\*.IME"
                                         "%~!\*.TSP") DO IF NOT EXIST "%~nx?" MKLINK /H "%~nx?" "%~?"

Note: the Command Processor and its internal MkLink command need to be run either impersonating TrustedInstaller or with the privileges SeBackupPrivilege and SeRestorePrivilege enabled!

Copy your executables into this directory and execute them per double-click.
Determine the DLLs your executables loaded from their application directory by running the following command line in the still open command prompt:
```
"%SystemRoot%\System32\Find.exe" /I "%CD%\" "%SystemRoot%\Debug\SAFER.log"
```
Fix the vulnerable executables and retest them!

Example 1 (continued)

Execute setup.exe extracted from the executable installer of Mozilla Firefox in the now prepared Downloads directory.

On Windows 7 this appends at least the following text lines to %SystemRoot%\Debug\SAFER.log, indicating the vulnerability:

EXPLORER.EXE (PID = 1848) identified C:\Users\Stefan\Downloads\setup.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
setup.exe (PID = 4596) identified \??\C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\COMCTL32.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\apphelp.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\AppPatch\AcGenral.DLL as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\UxTheme.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\WINMM.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\samcli.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\MSACM32.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\VERSION.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\sfc.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\sfc_os.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\dwmapi.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Users\Stefan\Downloads\MPR.dll as Unrestricted using path rule, Guid = {4fcf2556-cf02-4356-ad71-f82ca93ccd0b}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\IMM32.DLL as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\UXTHEME.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\USERENV.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\SETUPAPI.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\PROPSYS.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\CRYPTBASE.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\OLEACC.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\CLBCATQ.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\SHFOLDER.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\ntmarta.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\System32\shdocvw.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\shell32.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}
setup.exe (PID = 4596) identified \??\C:\Windows\system32\ole32.dll as Unrestricted using path rule, Guid = {191cd7fa-f240-4a17-8986-94d480a6c8ca}

Example 2

Download the executable installers 7z1602.exe and 7z1602-x64.exe, save them in the prepared directory %USERPROFILE%\Downloads\ and execute them just until they display their first dialog box which prompts for the target directory:

on Windows Embedded POSReady 2009 alias Windows XP SP3, execution of 7z1602.exe appends the following text lines to %SystemRoot%\Debug\SAFER.log, indicating the vulnerability:

EXPLORER.EXE (PID = 1234) identified C:\Documents and Settings\Stefan\Downloads\7z1602.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 5678) identified \??\C:\Windows\System32\IMM32.DLL as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 5678) identified \??\C:\Windows\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 5678) identified \??\C:\Windows\System32\MSCTF.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 5678) identified \??\C:\Windows\System32\MSCTFIME.IME as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 5678) identified \??\C:\Documents and Settings\Stefan\Downloads\UXTHEME.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 5678) identified \??\C:\Windows\System32\mslbui.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

on 32-bit editions of Windows 7, execution of 7z1602.exe appends the following text lines to %SystemRoot%\Debug\SAFER.log:

EXPLORER.EXE (PID = 5248) identified C:\Users\Stefan\Downloads\7z1602.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 4312) identified \??\C:\Windows\System32\IMM32.DLL as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 4312) identified \??\C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.23403_none_2b180b30457f196c\comctl32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 4312) identified \??\C:\Users\Stefan\Downloads\UxTheme.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602.exe (PID = 4312) identified \??\C:\Windows\System32\ole32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

on 64-bit editions of Windows 7, execution of 7z1602-x64.exe appends the following text lines to %SystemRoot%\Debug\SAFER.log, indicating the vulnerability:

EXPLORER.EXE (PID = 4532) identified C:\Users\Stefan\Downloads\7z1602-x64.exe as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602-x64.exe (PID = 3488) identified \??\C:\Windows\System32\IMM32.DLL as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602-x64.exe (PID = 3488) identified \??\C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.23403_none_2b180b30457f196c\comctl32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602-x64.exe (PID = 3488) identified \??\C:\Users\Stefan\Downloads\UxTheme.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}
7z1602-x64.exe (PID = 3488) identified \??\C:\Windows\System32\ole32.dll as Unrestricted using default rule, Guid = {11015445-d282-4f86-96a2-9e485f593302}

Note: on all supported versions of Windows NT, UXTheme.dll is loaded from the program’s application directory %USERPROFILE%\Downloads\ instead from Windows’ system directory %SystemRoot%\System32\ alias %SystemRoot%\SysWoW64\ respectively, resulting in an LCE vulnerability.
Note: on Windows Vista and newer versions of Windows NT, 7z1602.exe and 7z1602-x64.exe request administrative privileges via their embedded application manifest, resulting in an additional EoP vulnerability!

Advantages of native installation packages

In contrast to executable installers, native installation packages for the operating system’s package manager exhibit the following advantages.

No (foreign or unknown) code is executed during installation, especially not with administrative privileges and access rights:
the target platform’s package installer is trusted, it does not execute the packages it installs, but reads them as data and interprets them, i.e. executes their instructions (yes, these can include "execute one of the files of the package", but read on).
They don’t need to be run with administrative privileges at all.
They can be used in locked-down environments where users don’t have the rights/permissions to execute arbitrary files and/or programs, but may use only white-listed applications and programs which renders instructions to execute something contained in the package useless.

The point is: well-known package formats allow you to inspect things, binary executables generally don’t.
In more detail:

It’s not a vulnerability, but a weakness and (design) bug in the first place: there is no need to execute (potentially malicious) programs from (potentially) untrusted sources or with questionable (unknown or even malicious) contents to install software.
This weakness turns into a vulnerability, if
- Jane or Joe Average execute arbitrary (untrusted) executables;
- a trusted (but vulnerable) executable loads and/or executes a rogue DLL or executable which happens to be in the search path before the expected DLL or executable, known as DLL spoofing, alias DLL preloading, directory poisoning, binary planting, DLL hijacking and DLL side-loading.
Binary executables are generally opaque: you can’t tell what they actually do unless you have their source (and built them yourself in a trusted environment), or until you reverse engineer them completely.
In case of installers, you need the sources of the installer (plus its unpacker), the sources of the creator and the sources of the script used to build the final binary executable.
The format of these packages is well-known and documented, they can be unpacked and their contents as well as their instructions/scripts read and inspected.
The tools to create/build, edit/modify, unpack and even rebuild them are typically part of the OS’s package manager or provided as part of the OS’s SDK.

Always use the target platforms native package or archive formats to distribute your software or files!
The problem are the morons who build binary executables to install software (or just unpack some files) and hand these binary executables to unsuspecting and unskilled users, expecting them to actually execute them.
This really nasty behaviour of almost all developers/companies out there trained users to execute almost anything they get their hands on.
The solution for this is simple:

Package software in the native format of the target platform!
For Windows this is .msi for applications and .inf (plus .cab) for drivers, including their satellites.
Other (older) OSs have .pkg, their newer variants .deb, .rpm, .apk, .dmg, …
Distribute packages in the native archive format of the target platform!
For Windows this is .cab.
Other OSs have their own, and most of them support .zip.

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.