Re: [WiX-users] Temporary files in WiX?

Fri, 16 May 2008 12:23:10 -0700 

A repair is really just another (re)install.  You could extract them again.  If 
you call installed files,  it can sometimes get tricky if you need to reference 
them late during the uninstall... the files could be gone by the time you need 
them.    This scenario, the desire to hide/not persist the files while not 
installing and the desire to consume files during the UI sequence prior to 
installation are the three main triggers that drive me to use this type of 
pattern.
   
  Also it should be noted that the code injection risk can also occur if a 
SysAdmin either enables the always elevate policy or grants non-priv users  
modify to the file share containing the MSI.   I still feel that the risk is 
minimal and that's it's much easier to to just boot off of a usb key or cdrom 
and run ntpassword then build the MSI domain knowledge needed to pull off this 
type of exploit.
  

Neil Enns <[EMAIL PROTECTED]> wrote:
                Ah. So let’s make sure we’re clear, there’s a difference 
between asking for “can I write files during install to a temporary location” 
vs. “can I clean up some files I’ve installed to program files after install” J
   
  Good point on the repair, I guess we’ll leave the files around.
   
  Neil
   
      From: Bob Arnson [mailto:[EMAIL PROTECTED] 
Sent: May-16-08 8:42 AM
To: Neil Enns
Cc: Rob Mensching; wix-users@lists.sourceforge.net
Subject: Re: [WiX-users] Temporary files in WiX?


   
  Neil Enns wrote: 
    Thanks for the details, Rob. It sounds like from you write below that the 
security issue exists regardless of whether the files are temporary, correct? 
Any time you have an installer that writes files to a disk, then executes them 
via a deferred custom action, the vulnerability owuld be there?

  
No, because Program Files is a "secure" location. To write to it, you'd already 
need to be admin.



    In our specific case, the files we're laying down on disk are the DirectX 
9.0c redist files we need, then we execute them at the end of our setup. 

  
In FlightSim, I leave the files installed so I can run repair. FWIW.



-- 

sig://boB

http://joyofsetup.com/

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users


       
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Reply via email to