isObjectModel.dll Cyber Security Fix v1.0

Date: 2014.10.15

Description: This software will update the files installed by the merge module isObjectModelMerge.msm, replacing
             the vulnerable file isObjectModel.dll (v1.0.0) with a fixed version (v1.0.1).

Delivery: MSI file for installing the fix. Fixed MSM merge module as an alternative to the MSI.

Problem: Most installations of DTMs that were build using the ifak DTMcreator DDXML include the isObjectModelMerge.msm.
         This merge module is only required by Profibus DTMs and during the generation of DTMs. Therefore it makes
         little sense to have it with most of the DTMs setups.
         Nevertheless it was detected that the isObjectModel.dll (v1.0.0) has an vulnerability when calling the function
         RemoveParameter at first and with long strings. The fixed version of the isObjectModel.dll (v1.0.1) correct
         this issue.

Tested OS: WinXP (x86), Win 7 (x86,x64), Win 8 (x64), Win 8.1 (x64), Win10 TP (x64)

For DTM producers:
The best solution is to remove the isObjectModelMerge.msm from your installation (since it is only used by Profibus DTMs).
If this is not possible, replace this merge module with the fixed one (v1.0.0.710)

For DTM integrators/solutions:
Since one or more DTM installations are included as child installations (and there is no guarantee if at least one of them
installs the fixed isObjectModelMerge.msm) the solution is to integrate this MSI as a child installation. In this case it
should be the last in a sequence of installation of DTMs.
Another solution would be to integrate the MSM merge module instead of this MSI.

Manually application:
Just execute this MSI and the files (if installed) will be replaced/fixed.

Remarks:
- UI-less installation can be achieved when passing "/qn" to the MSI. Else a reduced UI will be shown to the user
- The installation/replacement of the files will only be done if the older/vulnerable ones are already in the system.
  If not, no file will be installed. In both cases, the installation returns success.
- This installation fix does not appear in the Windows Uninstall Programs menu. If uninstallation is still needed,
  then run the MSI again and select uninstall.
- There can be some issues when using the original merge module isObjectModelMerge.msm in installations and installing
  in Windows versions later then WinXP. In this case, after copying/replacing the DLLs, the installation tries to register
  the DLLs which may fail (Message: Could not register...). There are two solutions for this: 1) Run your installation in
  compatibility mode to previous OS or 2) use the isObjectModelMerge(NoDllReg).msm instead.
