InstallSite Blog

Automate Releases With MSBuild And WiX

This article by Sayed Ibrahim Hashimi from the March 2007 issue of MSDN Magazine is available online in multiple languages.

WiX Tricks: Automate Releases With MSBuild And Windows Installer XML

This article discusses:
- An overview of Windows Installer XML
- Creating WiX packaging instructions
- Integrating WiX and MSBuild
- Automating builds and packaging

Article at MSDN

Sayed Ibrahim Hashimi is the author of the book Deploying .NET Applications. Learning MSBuild and ClickOnce

Introduction to ClickOnce video presentation

This is a 45 minutes video + slides recording of a presentation at the JAOO european developer conference. Microsoft C# MVP Cathi Gero talks about the problems that ClickOnce addresses and how it works.

Deploying & Maintaining Smart Client Apps using ClickOnce

ClickOnce, part of version .NET 2.0, allows the deployment of Windows-based rich client apps by placing the app files on a Web or file server and providing the user with a link. This session covers VS 2005 deployment capabilities for online and offline support, rolling back to previous versions of an app, listing an app in the Start Menu and control panel, and zone-based debugging.

Presentation recording at InfoQ

FrontRange acquires enteo (NetInstall)

FrontRange Solutions USA Inc. has signed an agreement to acquire German based enteo Software, Inc.

enteo offers solutions for patch management, software distribution for operating systems and applications, license management and compliance, and configuration management, known by the name "NetInstall".

FrontRange offers solutions for IT service management, customer relationship management (CRM), and Voice applications.

The companies plan to combine their PC lifecycle management and IT service management solutions into one highly-integrated product range. The enteo site in Germany will continue to be the development and competence center for PC Lifecycle Management.

Some of you may remember a short episode a couple of years ago when InstallShield (now Macrovision) sold NetInstall products in the USA.

enteo press release

FrontRange press release

A Windows Installer Database Diff Tool

This tool is a command line utility that will generate a Diff report of two Windows installer databases. It outputs XML and HTML versions and supports both MSM and MSI databases. It was posted on Code Project more than two years ago.

A Windows Installer Database Diff Tool

Security Vulnerabilities in InstallShield Runtime Files on End User Machines

The United States Computer Emergency Readiness Team (US-CERT) reported critical security vulnerabilities in two ActiveX controls and a Netscape plug-in that InstallShield/Macrovision products install on end user machines. According to the reports the vulnerabilities can be exploited execute arbitrary code if the victim views a specially crafted HTML document, e.g. a web page or an HTML e-mail.

The affected products are:

FLEXnet Connect / InstallShield Update Service

The InstallShield Update Service Web Agent ActiveX control contains a buffer overflow, which could allow an attacker to execute arbitrary code on a vulnerable system. InstallShield Update Service is now called FLEXnet Connect.

US-CERT Report

Macrovision has released a patch to solve this problem based on version 6.0 of the FLEXnet Connect Windows agent. This does not affect the Java agent. It is recommended that you deploy this patch as soon as possible to your customer base. An e-mail with instructions has been sent to FLEXnet Connect customers.
Alternatively you can set the kill bit for the affected ActiveX control as described in the US-CERT report.

InstallFromTheWeb (IFTW)

The InstallShield InstallFromTheWeb ActiveX control and Netscape plug-in both contain multiple buffer overflows, which could allow an attacker to execute arbitrary code on a vulnerable system.

US-CERT Report

Macrovision sent me the following reply when I asked them for a comment on the IFTW vulnerability:

Regarding InstallFromTheWeb, our position is that InstallFromTheWeb is an obsolete product from Macrovision.  This product has already passed it's end-of-life period, therefore Macrovision is no longer supporting this product.
We recommend, where it makes sense, that all IFTW customers use the current version of InstallShield, InstallShield 12, instead of InstallFromTheWeb.  InstallShield 12 does not have the vulnerability issue.

InstallFromTheWeb was sold as a product from 1997 through early 2000, when it was replaced by One-Click Installs (OCI) in InstallShield Professional 6.2.

The workaround for the IFTW vulnerability is setting the kill bit for the affected ActiveX control, or deleting the Netscape plug-in, respectively, as described in the US-CERT report.