Today, as we bid an indifferent farewell to the 12-month period known as 2017, we shipped WiX v3.10.4 and WiX v3.11.1 to mitigate a vulnerability in Burn. The vulnerability is a little tougher to exploit than the one fixed in WiX v3.10.2; this one requires already-running malicious code that’s specially-crafted to look for bundles that are running with elevated privileges.
As always, we recommend updating to the latest and greatest as soon as possible. Your users won’t thank you but they will yell if you left them vulnerable when you could’ve easily prevented it. The only change is this one small fix, so upgrade with a clear conscience.
Download WiX v3.10.4 here.
Download WiX v3.11.1 here.
On 4 July 2016, the 240th anniversary of the approval and publication of the United States Declaration of Independence, the Juno spacecraft is scheduled to enter polar orbit around Jupiter and WiX v3.10.3 was released.
WiX v3.10.3 contains fixes for the regressions introduced in WiX v3.10.2 by the “clean room” technique that mitigates against Windows vulnerabilities that affect bundle executables.
Download WiX v3.10.3.
The following bugs were fixed:
Universe willing, WiX v3.10.3 is the final release of the WiX v3.10 series. Up next is WiX v3.11.
Rob also had words on this release.
An unpleasant first: We had to release a security update for the WiX Toolset. Here’s the recipe:
That’s it, really. Bake and serve and suddenly every executable is potentially a carrier for malware.
WiX v3.10.2 contains mitigations for Burn that avoid the vulnerability. If you ship bundles, you really really need to upgrade to v3.10.2 so you can ship safe bundles.
More details about the release are available in the Setup Matters blog post I wrote.
Download WiX v3.10.2 here.
WiX v3.10.1 is a maintenance release of WiX v3.10 with the following important fixes:
Download it here.
As you can see, we had a couple of problems with Windows XP support. Though I ran a few manual tests on XP during and at the end of v3.10, that wasn’t sufficient to uncover the bugs. Next time, I’ll put out an explicit call for testing support from folks still supporting Windows XP and Windows Server 2003. We’re going to need your help to keep bitrot at bay!
Here’s what Rob had to say about this release.
Update: WiX v3.10.1 has been released.
As planned, WiX v3.10 was released on (American) Labor Day. The RTM build is v188.8.131.523.
Download it here.
Update: Rob also had words about WiX v3.10.
Burn and WixStdBA
- @rseanhall updated the build to use the latest Sandcastle help-build tool and to acquire it via NuGet. [issue]
- @robmen added an error message that detects when strong-name verification skipping hasn’t been set up for a developer build. [pull request]
- @rseanhall made maintaining history easier by merging individual history messages into the master history.md. [pull request] [pull request]
- @robmen fixed an error message. [issue] [pull request]
- @heaths added support for the Windows 10 SDK. [pull request]
And the rest