An unpleasant first: We had to release a security update for the WiX Toolset. Here’s the recipe:
- 1 serving of DLL hijacking – a really bad Windows vulnerability because Windows first searches the directory an .exe comes from for any DLLs it needs.
- 1 serving of drive-by downloading – the ability for evil Web sites to download DLLs to the same directory non-evil sites download your delicious bundles.
That’s it, really. Bake and serve and suddenly every executable is potentially a carrier for malware.
WiX v3.10.2 contains mitigations for Burn that avoid the vulnerability. If you ship bundles, you really really need to upgrade to v3.10.2 so you can ship safe bundles.