[wix-users] WiX v3.10.2 Important Security Fix Release

Rob Mensching rob at firegiant.com
Fri Jan 22 10:49:21 PST 2016

" it would be impossible to use burn to ensure that such a hotfix was installed prior to attempting to show "

This would only be true if we couldn't change Burn (or the mbahost, which may be more important in this case). Fortunately, we can.

Anyway, let's not jump to conclusions yet. Let's see what Microsoft says. The one "advantage" this issue has is that it exposes a known vulnerability in Windows. Security isn't something they typically blow off so I'm still hopeful.

Also, you can avoid this issue completely by not using WinForms (or whatever part of WinForms that is affected). I appreciate that isn't much solace if you've already invested deeply in WinForms but it is good to know there are options.

-----Original Message-----
From: wix-users [mailto:wix-users-bounces at lists.wixtoolset.org] On Behalf Of Jeremy Drake
Sent: Friday, January 22, 2016 10:35
To: WiX Toolset Users Mailing List <wix-users at lists.wixtoolset.org>
Subject: Re: [wix-users] WiX v3.10.2 Important Security Fix Release

I don't like the sound of where this is going.  Consider if Microsoft puts out a hotfix to fix this issue.  Due to the fact that MBA prereqs are only processed if the .NET context fails to create, it would be impossible to use burn to ensure that such a hotfix was installed prior to attempting to show the managed BA UI (which would likely fail due to this issue).

Also, even without this limitation, I have found that it is generally a pain to try to have MS hotfixes as prereqs.  We tried to do something like this with the hotfix to add sha-256 certificate support for drivers in Win7, and hit upon the issues that a) it's not clear from the licensing if you are allowed to redistribute a hotfix, and b) they seldom document a registry value/file to detect if a given hotfix is installed anymore (it seems like they want you to call out to CBS, which burn doesn't know how to do, so we had to resort to comparing before/after registry states and finding an undocumented CBS key to have burn detect off of).  In the end, we reverted all of this mess and got an SHA-1 cert to do dual-signing instead.

On Fri, 22 Jan 2016, Rob Mensching wrote:

> With that information and example code, please do open a Connect 
> issue: 
> https://connect.microsoft.com/VisualStudio/Feedback/LoadSubmitFeedback
> Form?FormID=6235
> That's the first step to getting it on the CLR team's radar.

More information about the wix-users mailing list