SolarWinds-Like Risk Lurks in Popular Installer Tool TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsVulnerabilities & ThreatsCritical Site Takeover Flaw Affects 400K WordPress SitesCritical Site Takeover Flaw Affects 400K WordPress SitesbyElizabeth Montalbano, Contributing WriterNov 5, 20253 Min ReadApplication SecurityRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolbyNate Nelson, Contributing WriterNov 5, 20254 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLApplication SecurityCyber RiskVulnerabilities & ThreatsСloud SecurityNewsRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolRisk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update ToolSome of the world's biggest technology companies use a program liable to introduce malware into their software. The potential consequences are staggering, but there's an easy fix.Nate Nelson, Contributing WriterNovember 5, 20254 Min ReadSource: B Christopher via Alamy Stock PhotoResearchers have discovered a supply chain risk in a popular installer authoring tool, which they've described as potentially leading to cyberattacks "comparable in scope to supply chain incidents like SolarWinds." Its developers, however, say it's working as intended.The tool, Advanced Installer, is used for building application installers. After developing their software, vendors turn to it to bundle all the many files, dependencies, drivers, configurations, and so on that allow their software to install smoothly on customers' systems.According to its website, Advanced Installer is used by developers and system administrators in more than 60 countries "to package or repackage everything from small shareware products, internal applications, and device drivers, to massive mission-critical systems." It counts a variety of brand-name, international software vendors among its customers, like Microsoft, Apple, Dell, Motorola, Sony, McAfee, Adobe, and more.In a new report, cybersecurity provider Cyderes revealed what it has deemed a "bring your own update" (BYOU) risk in Advanced Installer. Simply put, attackers can manipulate it to infect vendors' software updates, then sit back and watch as the malware spreads to all of the downstream customers.Related:AI Developed Code: 5 Critical Security Checkpoints for Human Oversight"It’s not a five-alarm crisis yet, as we are not aware of an active campaign targeting this weakness," says Brian Hussey, senior vice president of Cyderes' Howler Cell. But he emphasizes that "vendors should act now to review their update signing practices before this threat assessment increases."No Digital Signature Requirement for Advanced InstallerOne of Advanced Installer's popular features is its update tool, which empowers software programs to automatically check for and install updates as they become available.As part of the process, to find and retrieve remotely hosted update configuration files, the update tool accepts a -url parameter. But who's to say that the URL must host a legitimate update config?Imagine that hackers pull off the very commonplace feat of breaching a software developer, who in this case uses Advanced Installer. The hacker can then craft a file that looks like a software update, but secretly points to a URL with their malware. To propagate their malware to all of the developer's customers, all they'd have to do is run a single command on the infected system, which tells the update tool to check for and retrieve their malicious file from their server.It's unlikely that the organization on the receiving end of that update would be able to spot the link to malware. On the developer's end, the update file is unsigned and unverified, but from the victim's perspective, it's being installed by a legitimate, trusted updater tool, which will look like benign behavior to any operating system (OS), antivirus, or endpoint detection and response (EDR) program.Related:Malicious NPM Packages Disguised With 'Invisible' DependenciesHow to Avoid Supply Chain Attacks via Advanced InstallerThe BYOU issue in Advanced Installer is no software vulnerability, it's a design choice.Like most software, it's made to be user-friendly. It has an easy-to-use graphical user interface (GUI) and lots of options for customization, and to make updates smooth and easy its update tool accepts signed and unsigned packages alike.And it has a solution for that, too, if you're worried about security. Every user can toggle on an option to "Install only digitally signed update packages signed with the same certificate as the Updater." In fact, when Cyderes contacted Advanced Installer developer Caphyon, the company acknowledged the risk in its product, but pointed out that every user has this power to protect themselves already.By all indications, though, users aren't actually doing it. Cyderes couldn't say exactly how many users, or even roughly what percentage of users, do and don't enforce digital signatures for their updates, but noted that a tested sample of programs packaged with Advanced Installer did not include any signature enforcement.Related:AI-Generated Code Poses Security, Bloat ChallengesAs further evidence of just how uncommon it is to use the signature requirement, the report pointed out that, in a comic twist, Caphyon doesn't actually force digitally signed updates for the Advanced Installer program itself.So either the culture around Advanced Installer is going to have to shift, or Caphyon's laissez-faire policy will need to change. Hussey concludes that "given the severity of the risk, we believe mandatory digital signatures in update packages and integrity check mechanisms would be the appropriate solution."In the meantime, every organization that uses mainstream software might be well advised to keep vigilant. "Concern will likely rise once [these] details are public, especially among large vendors currently relying on non-signed installers," Hussey says, so "organizations should accept only digitally signed updates, test vendor updates in a secure staging area, and monitor installer activity for unusual behavior."About the AuthorNate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."See more from Nate Nelson, Contributing WriterMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The proliferation of readily available installer tools, such as Advanced Installer, presents a significant and potentially escalating cyber risk, comparable in scope to high-profile supply chain attacks like the SolarWinds incident. According to a recent report by Cyderes, this risk stems from the tool’s design, which allows vendors to accept both digitally signed and unsigned update packages. This approach, while intended for user-friendliness, creates an avenue for attackers to inject malicious code into software updates, effectively compromising downstream customers. The core vulnerability lies in the lack of mandatory digital signature enforcement, a practice that would significantly reduce the attack surface.

The Advanced Installer tool is utilized by a diverse range of companies, including Microsoft, Apple, and Dell, to package and repackage software, from small shareware to large mission-critical systems. The tool accepts unsigned packages, allowing updates to be retrieved from URLs supplied by the user. This design, however, can be exploited by attackers who can craft malicious update files that appear legitimate, targeting developers who utilize the tool. Once an attacker gains access to a developer’s system, they can insert malware into the update package, which will be deployed to all of the developer’s clients. Given the absence of signature enforcement, the update files are not verified, and therefore, any compromised installation would essentially go undetected by standard security measures like operating systems, antivirus software, or endpoint detection and response (EDR) systems.

The Cyderes report emphasizes the critical need for a proactive approach. While acknowledging that the risk isn't yet "five-alarm," the analysts highlight the potential for this vulnerability to be weaponized, particularly as larger vendors relying on non-signed installers are exposed. The recommendation is clear: organizations should mandate digital signatures for update packages, incorporate integrity check mechanisms, and rigorously test vendor updates in a secure staging environment. Furthermore, monitoring installer activity for unusual behavior is advised. The report suggests that if the current culture around Advanced Installer doesn’t shift, mandatory digital signatures and integrity checks would be the appropriate solution.

This scenario underscores the broader implications of “bring your own update” (BYOU) strategies in the software supply chain. While convenient, BYOU models inherently increase complexity and risk, particularly when combined with tools lacking robust security controls. It serves as a critical reminder for software vendors and users alike to prioritize security at every stage of the software lifecycle.