There is a Windows DLL redirection behavior that an attacker could use to escalate privileges using a Burn bundle. All versions of WiX are affected by this vulnerability. FireGiant has prepared mitigations for this behavior that we're releasing today in WiX v4.0.4 and WiX v3.14. We recommending upgrading to these versions as soon as possible.
Back in 2016, we spent a considerable amount of time developing Burn mitigations to a DLL hijacking vulnerability in Windows. At the end of 2017, we did so again with another DLL hijacking vulnerability. This new vulnerability is a DLL redirection vulnerability and, like the one we fixed in 2017, requires that malicious code already be running to perform the actions needed to trigger the DLL redirection vulnerability. But it's possible for such malware to gain elevated privileges when the user elevates the bundle for installation.
We've made this fix public because the original security report was public. You can read the security advisory here. FireGiant opened an incident with the Microsoft Security Response Center to alert Microsoft to the Windows behavior and our mitigations in Burn. Until Microsoft has released details about it, we aren't going to discuss details about the vulnerability.
To mitigate a DLL redirection attack, Burn terminates immediately when it detects such an attack is possible. The exit code in that case is -2114713647 (0x81F407D1).
WiX v4.0.4 and v3.14 security releases
WiX v3 is not the future
Now that WiX v4 has been out for almost a year and WiX v5 is nearing release, it's time to put WiX v3 out to pasture. WiX v3 is approaching its fifteenth birthday. (WiX v3.0.5419.0 was released 19-June-2009!) In software terms, that's ancient -- even as we've done eight releases to keep it running smoothly (he says modestly).
So we're giving WiX v3 a deadline (literally). Today's release of WiX v3.14.xxxxx starts the one-year clock: After 6-Feb-2025, there will be no future security fixes released in the WiX v3 line.
FireGiant customers get WiX v3 support based on their support contract -- likewise with WiX v4 now and WiX v5 coming soon.