Risk ‘Comparable’ to SolarWinds Incident Lurks in Popular Software Update Tool
Summary
Researchers at Cyderes have identified a supply‑chain risk in Advanced Installer’s updater that could allow attackers to distribute malicious updates across downstream customers. The updater accepts an arbitrary -url parameter and, by design, does not require update packages to be digitally signed unless the user enables that option. An attacker who compromises a developer could craft a fake update configuration pointing to malware and trigger mass distribution that appears as legitimate updater behaviour. Caphyon, the developer, says the protection exists but is not enforced by default.
Key Points
- Advanced Installer’s update tool accepts a -url parameter and does not require digital signatures by default.
- An attacker who compromises a software developer can create a malicious update config that points to malware and cause wide distribution (a “bring your own update” or BYOU scenario).
- Cyderes warns the impact could be comparable in scope to SolarWinds because Advanced Installer is widely used by major vendors.
- Caphyon offers an option to allow only digitally signed update packages, but enforcement appears uncommon and Advanced Installer itself doesn’t require signatures for its own updates.
- Recommended mitigations: accept only digitally signed updates, test vendor updates in a secure staging area, monitor installer activity for unusual behaviour, and consider making signature checks mandatory.
Content Summary
The article explains the attack vector: compromise a developer, create an update configuration that points to a malicious URL, and instruct the updater to fetch that configuration. Because the updater will happily process unsigned update files unless configured otherwise, the malicious payload can install while appearing to be legitimate updater activity to the OS, antivirus or EDR. Cyderes urges organisations to review signing practices; Caphyon notes the option to require signatures exists but is rarely used.
Context and Relevance
This is significant for organisations that consume third‑party software or build installers themselves. Supply‑chain attacks scale quickly and, given Advanced Installer’s adoption across many vendors (including household names), the potential blast radius is large. The piece ties into broader industry efforts to harden update integrity after incidents such as SolarWinds.
Why should I read this
Quick and blunt: if you rely on external software or ship updates, this is one of those sneaky risks that can blow up fast. The good news? The fix is straightforward — insist on signed updates, stage and test vendor patches, and watch installer behaviour. Read it so you can nudge your ops or vendor contacts to sort it before someone else does.
Author style
Punchy: this is a high‑impact, actionable heads‑up. If you manage updates, dependencies or vendor risk, the detail matters — don’t skip it.