There are two high-risk security holes in Windows Installer XML (WiX). Updated versions of the open source installer toolset close them. Anyone who uses WiX should install the updates promptly.
Advertisement
If an installer created with WiX accesses the function RemoveFolderEx
accesses, users with limited rights can delete protected directories. The function is intended to delete an entire directory tree during an installation or uninstallation. An attacker could create a directory junction in a user directory that points to a machine-wide, protected directory – when administrators run the installer, this deletes this directory (CVE-2024-29188, CVSS 7.9Risk “hoch“).
Files can be added to WiX installers
In addition, by using the unsafe directory C:\Windows\Temp
To store and load executable files by users with low rights, binary files are inserted, which are then executed with SYSTEM rights (CVE-2024-29187, CVSS 7.3, hoch).
Those who have built with WiX Installer should update their software and ideally also recreate installation packages created with it. WiX 3.14.1 and 4.0.5 have been fixed. There are several ways to update to the new version. The easiest way to do this globally is to call
dotnet tool install --global wix --version 4.0.5
and locally through the command
dotnet new tool-manifest # if you are setting up this repo
dotnet tool install --local wix --version 4.0.5
in the .Net command line, as Microsoft's developers write on the WiX project page.
The Wix project was the first that Microsoft released under an open source license, which caused quite a stir in 2004. After a few detours, WiX ended up in Microsoft's NuGet.org .Net repository system in 2014.
(dmk)