IExpress can be used for distributing self-contained installation packages to multiple local or remote Windows computers. It creates a self-extracting executable or a compressed Cabinet file using either the provided front end interface, or a custom Self Extraction Directive file. SED files can be modified with any plain text/ASCII editor, like Notepad. All self-extracting files created by IExpress use CABcompression algorithms, are compressed using the MakeCab tool, and are extracted using the WExtract tool. IEXPRESS.EXE is located in the SYSTEM32 folder of both 32 and 64-bit installations of Windows. The front end interface can be started by manually navigating to the respective directory and opening the executable, or by typing IExpress into the Run window of the Start Menu. It can also be used from the command line to create custom installation packages, eventually unattended : IEXPRESS /N drive_letter:\directory_name\file_name.SED IExpress Wizard interface guides the user through the process of creating a self-extracting package. It asks what the package should do: extract files and then run a program, or just extract files. It then allows the user to specify a title for the package, add a confirmation prompt, add a license agreement that the end-user must accept in order to allow extraction, select files to be archived, set display options for the progress window, and finally, specify a message to display upon completion. If the option to create an archive and run a program is selected, then there will be an additional step, prompting the user to select the program that will be run upon extraction. Be aware that depending on what operating system, you create a self-extracting archive of that type, and 64 bit won’t run on32 bit computers.
Security
The self-extracting packages created with IExpress have vulnerabilities which allow arbitrary code execution because of the way they handle their installation command and their command line processing. Additionally, because of the way Windows User Account Control handles installers, these vulnerabilities allow a privilege escalation. More specifically, the vulnerability comes in two versions: the most obvious one is that a switch tells the package to run an arbitrary command in the extracted directory; the other is that the directory is predictable and writable by any ordinary user, so that the usual msiexec.exe| command can be replaced by an attack payload. The latter has been fixed by Microsoft in MS14-049, but the former is only addressed by a policy to deprecate IExpress. There is also a DLL hijacking exploit possible with IExpress.
