Mass excitement this week: Plenty to triage and even more to talk about with WiX's first security update. With a little luck, we have some nice boring weeks ahead of us.

WiX v3.10.2 update

With January's Patch Tuesday behind us, our agreement with MSRC to not disclose a Windows vulnerability has lapsed. The Windows vulnerability can be manifested with a Burn bundle—as well as with almost every other installation engine and self-extractor available—in a way that is potentially serious. Because Burn gets elevation right—by elevating only when necessary, not up-front and always—it's harder for malware to get elevated privileges but of course, even being able to execute code as the user could be significant. Therefore, FireGiant committed the time to make a series of mitigations in Burn against this Windows vulnerability and release it as WiX v3.10.2 as soon as possible.

For information on the approach we took, see issue 5184, WIP 5184 and check out the live code review from this week's meeting for the corresponding pull request.

WiX v3.10.2.2516 is a release candidate for WiX v3.10.2 and contains this fix.

Issue triage