Risk 'Comparable' to SolarWinds Incident Lurks in Popular Software Update Tool

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Some of the world's biggest technology companies use a program liable to introduce malware into their software. The potential consequences are staggering, but there's an easy fix.November 5, 2025Researchers have discovered a supply chain risk in a popular installer authoring tool, which they've described as potentially leading to cyberattacks "comparable in scope to supply chain incidents like SolarWinds." Its developers, however, say it's working as intended.The tool, Advanced Installer, is used for building application installers. After developing their software, vendors turn to it to bundle all the many files, dependencies, drivers, configurations, and so on that allow their software to install smoothly on customers' systems.According to its website, Advanced Installer is used by developers and system administrators in more than 60 countries "to package or repackage everything from small shareware products, internal applications, and device drivers, to massive mission-critical systems." It counts a variety of brand-name, international software vendors among its customers, like Microsoft, Apple, Dell, Motorola, Sony, McAfee, Adobe, and more.In a new report, cybersecurity provider Cyderes revealed what it has deemed a "bring your own update" (BYOU) risk in Advanced Installer. Simply put, attackers can manipulate it to infect vendors' software updates, then sit back and watch as their malware spreads to all of the downstream customers.Related:'Ransomvibing' Infests Visual Studio Extension Market"It’s not a five-alarm crisis yet, as we are not aware of an active campaign targeting this weakness," says Brian Hussey, senior vice president of Cyderes' Howler Cell. But he emphasizes that "vendors should act now to review their update signing practices before this threat assessment increases."One of Advanced Installer's popular features is its update tool, which empowers software programs to automatically check for and install updates as they become available.As part of the process, to find and retrieve remotely hosted update configuration files, the update tool accepts a -url parameter. But who's to say that the URL must host a legitimate update config?Imagine that hackers pull off the very commonplace feat of breaching a software developer, who in this case uses Advanced Installer. The hacker can then craft a file that looks like a software update, but secretly points to a URL with their malware. To propagate their malware to all of the developer's customers, all they'd have to do is run a single command on the infected system, which tells the update tool to check for and retrieve their malicious file from their server.It's unlikely that the organization on the receiving end of that update would be able to spot the link to malware. On the developer's end, the update file is unsigned and unverified, but from the victim's perspective, it's being installed by a legitimate, trusted updater tool, which will look like benign behavior to any operating system (OS), antivirus, or endpoint detection and response (EDR) program.Related:Sora 2 Makes Videos So Believable, Reality Checks Are RequiredThe BYOU issue in Advanced Installer is no software vulnerability, it's a design choice.Like most software, it's made to be user-friendly. It has an easy-to-use graphical user interface (GUI) and lots of options for customization, and to make updates smooth and easy its update tool accepts signed and unsigned packages alike.And it has a solution for that, too, if you're worried about security. Every user can toggle on an option to "Install only digitally signed update packages signed with the same certificate as the Updater." In fact, when Cyderes contacted Advanced Installer developer Caphyon, the company acknowledged the risk in its product, but pointed out that every user has this power to protect themselves already.By all indications, though, users aren't actually doing it. Cyderes couldn't say exactly how many users, or even roughly what percentage of users, do and don't enforce digital signatures for their updates, but noted that a tested sample of programs packaged with Advanced Installer did not include any signature enforcement.Related:Multiple ChatGPT Security Bugs Allow Rampant Data TheftAs further evidence of just how uncommon it is to use the signature requirement, the report pointed out that, in a comic twist, Caphyon doesn't actually force digitally signed updates for the Advanced Installer program itself.So either the culture around Advanced Installer is going to have to shift, or Caphyon's laissez-faire policy will need to change. Hussey concludes that "given the severity of the risk, we believe mandatory digital signatures in update packages and integrity check mechanisms would be the appropriate solution."In the meantime, every organization that uses mainstream software might be well advised to keep vigilant. "Concern will likely rise once [these] details are public, especially among large vendors currently relying on non-signed installers," Hussey says, so "organizations should accept only digitally signed updates, test vendor updates in a secure staging area, and monitor installer activity for unusual behavior."Nate Nelson, Contributing WriterNate Nelson is a writer based in New York City. He formerly worked as a reporter at Threatpost, and wrote "Malicious Life," an award-winning Top 20 tech podcast on Apple and Spotify. Outside of Dark Reading, he also co-hosts "The Industrial Security Podcast."2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.