Supply Chain Risk in Advanced Installer Update Tool

First reported

05.11.2025 16:00

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A supply chain risk in the Advanced Installer tool, used to create software installers, has been identified. The risk allows attackers to manipulate software updates, potentially affecting downstream customers. The issue is not a vulnerability but a design choice that allows unsigned updates. The tool is widely used by major software vendors, including Microsoft, Apple, and Dell. The risk involves attackers breaching a software developer and injecting malicious updates through the Advanced Installer's update tool, which does not require digital signatures by default. This could lead to widespread malware distribution. Cybersecurity provider Cyderes has highlighted the risk and recommended that vendors enforce digital signatures for updates to mitigate the threat.

Timeline

05.11.2025 16:00 1 articles · 5d ago

Supply Chain Risk Identified in Advanced Installer Update Tool
Cybersecurity provider Cyderes has identified a 'bring your own update' (BYOU) risk in the Advanced Installer tool. The risk allows attackers to manipulate software updates, potentially affecting downstream customers. The issue is not a vulnerability but a design choice that allows unsigned updates. Cyderes has recommended that vendors enforce digital signatures for updates to mitigate the threat. The risk is comparable in scope to the SolarWinds supply chain attack.
Show sources

Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool — www.darkreading.com — 05.11.2025 16:00
Open in new tab

Information Snippets

Advanced Installer is a popular tool used by developers to create software installers, with a wide user base including major vendors like Microsoft, Apple, Dell, and Adobe.
First reported: 05.11.2025 16:00

1 source, 1 article
Show sources
- Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool — www.darkreading.com — 05.11.2025 16:00
The tool's update mechanism accepts unsigned packages, allowing attackers to inject malicious updates.
First reported: 05.11.2025 16:00

1 source, 1 article
Show sources
- Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool — www.darkreading.com — 05.11.2025 16:00
Cyderes has identified a 'bring your own update' (BYOU) risk in Advanced Installer, where attackers can manipulate software updates.
First reported: 05.11.2025 16:00

1 source, 1 article
Show sources
- Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool — www.darkreading.com — 05.11.2025 16:00
The risk is not a software vulnerability but a design choice that prioritizes ease of use over security.
First reported: 05.11.2025 16:00

1 source, 1 article
Show sources
- Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool — www.darkreading.com — 05.11.2025 16:00
Users can enable an option to enforce digital signatures for updates, but many do not use this feature.
First reported: 05.11.2025 16:00

1 source, 1 article
Show sources
- Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool — www.darkreading.com — 05.11.2025 16:00
Cyderes recommends mandatory digital signatures and integrity checks to mitigate the risk.
First reported: 05.11.2025 16:00

1 source, 1 article
Show sources
- Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool — www.darkreading.com — 05.11.2025 16:00
The risk is comparable in scope to the SolarWinds supply chain attack.
First reported: 05.11.2025 16:00

1 source, 1 article
Show sources
- Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool — www.darkreading.com — 05.11.2025 16:00

Summary

Timeline

Supply Chain Risk Identified in Advanced Installer Update Tool

Information Snippets