[wix-users] WiX v3.10.2 Important Security Fix Release

Jeremy Drake jeremydrake+wix at eacceleration.com
Fri Jan 22 10:35:01 PST 2016 

I don't like the sound of where this is going.  Consider if Microsoft puts 
out a hotfix to fix this issue.  Due to the fact that MBA prereqs 
are only processed if the .NET context fails to create, it would be 
impossible to use burn to ensure that such a hotfix was installed prior to 
attempting to show the managed BA UI (which would likely fail due to this 
issue).

Also, even without this limitation, I have found that it is generally a 
pain to try to have MS hotfixes as prereqs.  We tried to do something like 
this with the hotfix to add sha-256 certificate support for drivers in 
Win7, and hit upon the issues that a) it's not clear from the licensing if 
you are allowed to redistribute a hotfix, and b) they seldom document a 
registry value/file to detect if a given hotfix is installed anymore (it 
seems like they want you to call out to CBS, which burn doesn't know how 
to do, so we had to resort to comparing before/after registry states and 
finding an undocumented CBS key to have burn detect off of).  In the end, 
we reverted all of this mess and got an SHA-1 cert to do dual-signing 
instead.

On Fri, 22 Jan 2016, Rob Mensching wrote:

> With that information and example code, please do open a Connect issue: https://connect.microsoft.com/VisualStudio/Feedback/LoadSubmitFeedbackForm?FormID=6235
>
> That's the first step to getting it on the CLR team's radar.
>
> _____________________________________________________________
> Short replies here. Complete answers over there: http://www.firegiant.com/
>
>
> -----Original Message-----
> From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Andreas Buchner
> Sent: Thursday, January 21, 2016 11:49 PM
> To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
> Subject: Re: [wix-users] WiX v3.10.2 Important Security Fix Release
>
> Rob, thanks for providing these information.
> I´ve created a small application (just opening a WinForm) with and without calling SetDefaultDllDirectories .
> Even if I compile the Application with .Net 4.5.2 I´m getting the same exception when calling SetDefaultDllDirectories in Win7x86 and Win7x64 (Server 2008R2 not tested yet).
>
> Does anyone have an idea for a workaround on this? :)
>
> Regards,
> Andreas Buchner
>
> ____________________________________________________________________
> WiX Toolset Users Mailing List provided by FireGiant http://www.firegiant.com/
>

More information about the wix-users mailing list