Winthrop Development Consultants was recently notified by InstallAware, the supplier of the installer software used for the distribution packages for all our products, that a Security Vulnerability was identify in their product. They have released a new version that resolves the issue.
However, the issue will exist on all machines that have used an installer built with the previous compromised versions of their installer software.
Using the newly fixed installer software, we have created and released new builds of all our products which should be installed at all customer and partner sites as soon as possible. Any build of any of our products downloaded and installed after 10-Aug-2022 contains the fix.
[Edit] Old builds with this security vulnerability were discontinued at the end of December 2023, except for final builds of old GP versions. More details below.
As a bonus, installing the new builds will give you access to all the latest enhancements, features and fixes.
Note: All workstations in a system must be updated to the new builds at the same time.
Below is the information from the product release notices:
Installer Critical Update
Critical Update: The InstallAware software used to create the installers for our products has been updated to resolve a recently identified critical DLL preloading vulnerability. As a copy of the installer remains on the machine for maintenance, update, removal, and repair tasks, the risk is ongoing until the system is updated with the fixed installer.
Please see the release notices for the new builds:
- #GPPT GP Power Tools build 29.1 released
- #BPST Batch Posting Service Toolkit build 12.1 released
- #VSIT Visual Studio Integration Toolkit build 17.1 released
Please update all workstations and servers where GP is installed to these latest builds as soon as possible.
[Edit] Any earlier builds are subject to this security vulnerability, this includes GP Power Tools build 28 or earlier, Batch Posting Service Toolkit build 11 or earlier and Visual Studio Integration Toolkit build 16 or earlier.
Discontinued Builds
[Edit] The old builds of our products that contain this security vulnerability have been discontinued, with the exception of the final builds for the older versions of GP where there is no later build available. The details of what has been discontinued at the end of December 2023 is described in the article below:
Old Microsoft Dynamics GP Versions
Note: The latest builds have been released for the last six versions of GP. There are no updates available for GP 2010 (v11.0) or GP 2013 (v12.0). It is recommended to update GP to a supported version so you can install the latest versions of our products. If you want to remove the security vulnerability for these old versions of GP, follow the steps below:
- After installing the latest build available for your version.
- Temporarily rename the GP application folder.
- Uninstall the products via the Control panel.
- Rename the GP application folder back.
This will remove the installer files while leaving the products files on the system.
More Information
Please note that the information being provided by InstallAware is being deliberating vague as providing more information increases the risk as it would help someone wanting to exploit the vulnerability. However, the issue relates to this topic from Microsoft:
Note: While the article refers to Windows Vista, the issue affects all Windows versions starting with Windows 2000 all the way through the latest Windows 11 and Window Server 2022 products.
I will continue to provide all the information I have on this article.
Hope this helps you understand everything.
David
18-Aug-2022: Added more information and link to Microsoft article.
23-Aug-2022: Added note about products for older GP versions.
15-Feb-2023: Specifically listed the product builds that are subject to the security vulnerability.
12-Jan-2024: Updated to explain the discontinued builds.
This article was originally posted on http://www.winthropdc.com/blog.
Winthrop Development Consultants Blog 
24 thoughts on “Important: Please update all Winthrop Products to resolve an Installer Security Vulnerability”