Today's meeting was extra exciting, as we got to discuss a potential security vulnerability and the effort to fix it.

Issue triage

  • Lineendings of a new *.wixproj, from @andorz, reports a problem with the line-ending characters in the Votive 2017 project templates. Luckily, the problem only appears when you edit the project in the text editor. Blair volunteered to investigate.

  • Failed to create communication pipe for new CA process. Error code: 231 - async CA, from @rolix7, shows a problem with DTF when using both synchronous and asynchronous managed-code custom actions. There's some global state in DTF so it's possible this is a scenario that isn't supported. More investigation is needed, so we took the issue in WiX v4x.

  • Error 0x80070570: Failed to extract all files from container, erf: 1:4:0, from @jozefizso, demonstrates that a bundle with a corrupted attached container will fail to extract the bundle but with WixStdBA, does not provide an especially useful error. We decided against verifying the bundle up-front; Burn already verifies payloads when it extracts them so for a big bundle, it would be a big up-front expense paid twice for a rare problem. Instead, we decided that WixStdBA should have an easy way to provide customized error messages instead of the standard system error text. We took the issue into WiX v4.x for that enhancement work.

  • Enhancement Request: Support for Kyrgyz Language in WixUI, from @Menelion, requests a new localization for the WixUI dialog library. As my personal language skills don't extend beyond English, college French and Spanish, and a bit of rudimentary Klingon, we rely on experts to provide translations, which we happily integrate to share the work.

  • DLL Hijack Clean Room Bundle, from @robmen, brings us to the exciting news of the week...

Clean room redux

Remember the halcyon days of early 2016, when we discussed the Windows DLL-hijacking vulnerability and FireGiant's efforts to mitigate the bug? Welcome back! FireGiant received a report of a vulnerability in the Burn clean room. Though it requires malware to be running locally and isn't vulnerable to remote code execution, it does allow privilege escalation. Specifically, it allows malware to "piggy-back" on a Burn bundle that's launched with elevated privileges. We decided it was a serious vulnerability and Rob prepared a fix, which we reviewed and I merged.

Then the discussion moved to how to release the fix. In the end we decided to ship point releases: WiX v3.11.1 and v3.10.4, to ensure as little friction as possible and get the fix into as many hands as possible.

These builds, plus new weekly builds of WiX v3.14 and v4.0, should be out by Monday, 20-November. We'll decided at our next meeting (30-November) if those builds are ready to ship at RTM quality.