Inno Setup: Difference between revisions

Inno Setup
Original author(s)	Jordan Russell
Developer(s)	Jordan Russell and Martijn Laan
Initial release	1997; 28 years ago
Stable release	5.5.6 / July 16, 2015; 9 years ago
Repository	github.com/jrsoftware/issrc ;
Written in	Embarcadero Delphi
Operating system	Microsoft Windows
Type	Setup Creator
License	Free software
Website	jrsoftware.org/isinfo.php

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 06:38, 25 December 2015

Inno Setup is a free script-driven installation system created in Delphi by Jordan Russell. The first version was released in 1997.

History

Since Jordan Russell wasn't satisfied with InstallShield Express which he had received upon purchase of Borland Delphi, he decided to make his own installer.^[2] At first, Inno Setup was little known. The first public version was 1.09.^{[citation needed]}.

To make an installation package with version 1.09, an “ISS.TXT” file needed to be created in the installation directory. In the file, the user needed to supply variables and values which are still used in Inno Setup today. These variables served as the configuration of the installation package but many other features could not be changed. The installation compiler had no editor and was more of a shell to compile scripts.

Throughout Inno Setup's development, it was becoming more widely used. Since Inno Setup was and still is free and open source, many software companies started switching to the open source solution in software installation^{[citation needed]}. Since Inno Setup was based around scripting, fans of Inno Setup started ISTool and ScriptMaker to aid in visual and simpler ways to make installations for Inno Setup.

Inno Setup has won many awards including the Shareware Industry Awards three times in a row - from 2002 to 2004.

Many people have taken Inno Setup source code and used it to develop third-party versions of Inno Setup. An example is My Inno Setup Extensions by Martijn Laan, which has been incorporated into Inno Setup in June 2003.

Features

Key features

Supports Windows 10, Windows 8, Windows 7, Windows Vista, Windows Server 2003, Windows XP (including x64 editions), Windows 2000^[3]
Extensive support for installation of 64-bit applications on Windows XP and Windows Server 2003. Both the x64 and IA-64 architectures are supported.
Multiple platforms (IA-32, x64 and IA-64) in a single binary
Prior versions supported Windows NT 3.51 (before v3.0) and Windows 3.X (Before v1.3)
Supports creation of a single EXE to install programs for easy online distribution.
Supports disk spanning.
Customizable setup types, for example, Full, Minimal, and Custom.
Complete uninstall capabilities.
Integrated support for “deflate”, bzip2, and 7-Zip LZMA file compression. The installer has the ability to compare file version information, replace in-use files, use shared file counting, register DLL/OCXs and type libraries, and install fonts.
Creation of shortcuts, including in the Start Menu and on the desktop.
Creation of registry and INI file entries.
Integrated Pascal scripting engine.
Support for multilingual installs.
Support for passworded and encrypted installs.
Silent install and uninstall.
Full source code is available (Borland Delphi 2.0-5.0 and 2009).
Supports Unicode and right-to-left languages.^[4]

Security

Installers created with InnoSetup have vulnerabilities which result in arbitrary code execution and due to their interaction with Windows' user account control additionally in privilege escalation. When run from a user's Downloads directory where an attacker has placed one of the DLLs these installers load per drive-by download this vulnerability results in remote code execution. A proof of concept was published by Stefan Kanthak. ^[5]

References

^ Inno Setup License "Inno Setup License". JRSoftware.org. Retrieved 18 January 2010. {{cite web}}: Check |url= value (help)
^ Why was it created?
^ "About Inno Setup". JRSoftware.org.
^ "Inno Setup change log". JRSoftware.org. Retrieved 18 January 2010.
^ FullDisclosure: Executable installers are vulnerable^WEVIL (case 5): JRSoft InnoSetup

External links

Official website
Inno Setup on GitHub
The Inno Setup Extensions Knowledge Base
Inno Setup Review by Dave Murray - An extensive review of Inno Setup
Lexpa ISVS - Inno Setup add-in for Visual Studio
OpenCandy Installer Platform Comparison June 2011

[1] Inno Setup License "Inno Setup License". JRSoftware.org. Retrieved 18 January 2010. {{cite web}}: Check |url= value (help)

[2] Why was it created?

[supported-os-3] "About Inno Setup". JRSoftware.org.

[unicode-4] "Inno Setup change log". JRSoftware.org. Retrieved 18 January 2010.

[5] FullDisclosure: Executable installers are vulnerable^WEVIL (case 5): JRSoft InnoSetup

[1]

[2]

[3]

[4]

[5]

@@ Line 63: / Line 63: @@
 ==Security==
 Installers created with InnoSetup have vulnerabilities which result in [[arbitrary code execution]] and due to their interaction with Windows' [[user account control]] additionally in [[privilege escalation]].
-If run from a user's ''Downloads'' directory where an attacker has placed one of the [[DLL]]s these installers load this vulnerability results in [[remote code execution]].
+When run from a user's ''Downloads'' directory where an attacker has placed one of the [[DLL]]s these installers load per [[drive-by download]] this vulnerability results in [[remote code execution]].
 A [[proof of concept]] was published by Stefan Kanthak.
 <ref>FullDisclosure: [http://seclists.org/fulldisclosure/2015/Dec/33 Executable installers are vulnerable^WEVIL (case 5): JRSoft InnoSetup]</ref>