WiX v3.10.4 and WiX v3.11.1 are important security releases of WiX. We strongly encourage all users of WiX to upgrade to WiX v3.11.1. If you must remain on a WiX v3.10 release, we highly recommend upgrading to WiX v3.10.4.
WiX v3.10.4 and WiX v3.11.1 released
Sunday, December 31, 2017
This security release addresses a DLL hijacking vulnerability in Burn introduced in WiX v3.10.2—ironically while fixing a more prevalent DLL hijacking vulnerability. This vulnerability differs from the previous vulnerability as it requires malicious code to already be executing. Thus it is not a remote execution vulnerability but can be used to escalate privileges.
The fix is a small code change to protect bundles when launched elevated. There are no additional changes.