InstallSite Blog

News about Windows Installer 4.1 and 4.5

Microsoft is working on two new versions of Windows Installer (MSI):

Windows Installer 4.1

MSI 4.1 will be available in Windows Vista SP1 and Windows Server 2008. According to the Windows Installer SDK this version will not add any new features. Windows Server 2008 is currently in beta and expected to be released later this year.

Windows Installer 4.5

One of the goals in Windows Installer 4.5 is to improve installs that consist of multiple msi packages, thus enabling products to be split into more granular msi files. For this purpose it adds APIs that a chainer can call to install products in a multi-package transaction. So there will be Install and Rollback transactions across multiple msi files. In my understanding, the chainer itself will not be part of MSI 4.5 Instead Microsoft asked MSI tools vendors to support these new features in their products.

MSI 4.5 will also address servicing issues where uninstalling a patch could break if a component is shared across multiple products.

The MSI 4.5 redistributables will be available for Windows XP SP2 and above and will include the operating system independent features and fixes from MSI 4.0 which is only available on Windows Vista.

Beta registration for MSI 4.5 opened today, you can apply at the Microsoft Connect site, where Microsoft manages beta programs. The beta documentation should be posted there in July and the binaries in August. For mor information see the Windows Installer Team Blog. (Note that the white paper mentioned there is not yet available. Edit: the download link for the white paper is now working properly.)

Quest Software to acquire ScriptLogic

Quest Software, Inc. and ScriptLogic Corporation today announced a definitive agreement for Quest to acquire ScriptLogic in a cash transaction valued at approximately $90 million.

ScriptLogic is a leading provider of systems lifecycle management solutions for Windows-based networks. One of their products is Desktop Authority MSI Studio, a Windows INstaller repackaging and editing tool formerly known as MaSaI Installer.

Quest is a market-leading provider of database, applications, and Windows management solutions.

ScriptLogic will operate as a wholly-owned subsidiary of Quest with key members of the management team remaining in place following the acquisition.

For more information: 

• Press Release
• ScriptLogic homepage 
• Quest Software homepage

Macrovision preparing end-user patch for FLEXnet Connect/Update Service security issues

Updated information about the recent security vulnerability reports in Macrovision's FLEXnet Connect and InstallShield Update Service products: Product manager Trent Wheeler told me they are currently in the process of rolling out the fix for the two problems reported by US-CERT to customers of InstallShield, AdminStudio, and other Macrovision products that utilize the FLEXnet Connect product. 

And they are writing an additional patch, one that is appropriate for end-users of FLEXnet Connect to apply directly to the installed version of the agent rather than the intermediate consumers of the SDK. This will be made generally available to customers of Macrovision's products that utilize FLEXnet Connect, and to interested 3rd parties, as soon as it clears QA.

Related articles:

• Security vulnerability in FLEXnet Connect/InstallShield Update Service end user ActiveX control (reported May 31, 2007)
• Update on the FLEXnet Connect/InstallShield Update Service vulnerability
• Doubts about yet another FLEXnet Connect/InstallShield Update Service vulnerability report

AdminStudio offer - 13% off any maintenance bundle

A promotion offer is available until 6th July for Macrovision's AdminStudio: you get 13% off when ordering AdminStudio with a maintenance plan. This offer is valid for full products and upgrades to AdminStudio Standard, Professional or Enterprise edition when ordering bundled with a Bronze, Silver or Gold Maintenance Plan.

A maintenance plan is a cost effective way to buy support and product upgrades. Each maintenance plan allows unlimited support requests for 12 months (by web or phone, depending on the contract level), plus all new product releases for a full year. Still the premium for a maintenance plan - even without the current discount offer - is less than the price for a single upgrade.

Please contact the InstallSite Shop for a quote.

In-depth analysis of Vista UAC

An article has been posted at The Code Project that examines how UAC on Windows Vista operates behind the scenes, including a debug session of an elevation via the UAC prompt. It also shows how to work with UAC using manifests or the CreateProcess API, including source code.

In-depth analysis of Vista UAC and the creation of CreateProcess...Elevated() APIs

MSI Readiness Analyzer for Windows Vista

ScriptLogic offers a free tool called "MSI Readiness Analyzer for Windows Vista".

MSI Readiness Analyzer for Windows Vista is a free standalone utility for IT professionals which analyzes MSI application installers and highlights methods to prepare them for Windows Vista. MSI Readiness Analyzer shows where application installers can take advantage of new technology in Vista, and also where problems might occur.

You don't need to register for the download, not even your e-mail address. That's nice.

Niceness stops when you read the EULA:

ScriptLogic, or its representative, may audit your usage of the Software at any of your facilities.  ScriptLogic may make copies of any information as part of the audit, and you will cooperate with such audit.

Scary. But I still proceeded because I wanted to give the tool a try.

The analyzer runs validation quite similar to the ICE validation tools available elsewhere. It does some extra checks, but with questionable value in my opinion. Plus they mix the output with  advertisement for their paid product, like:

• Vista's Restart Manager will be enabled for this installation. Using Desktop Authority MSI Studio you can disable it.
• A restart will occur if one is required. Using Desktop Authority MSI Studio you can change this behavior to always require a reboot, or to never reboot.

However in my test the analyzer didn't report a deferred custom action that was set to run with impersonation instead of system context, which is one of the most common problems that cause setups to fail on Windows Vista. So the tool is of no use for me.

http://www.scriptlogic.com/products/msi-readiness-analyzer/

Advanced Installer 5.0 Released

Catalin Rotaru of Caphyon Ltd. sent me this press release:

On June 12th, 2007 Caphyon LLC released a new version of their Windows Installer authoring tool, Advanced Installer. The 5.0 version greatly simplifies the task of creating MSI installers for applications already using other install engines by offering the ability to painlessly capture and repackage existing installations.

Another major development in this version is the ability to build multiple installers from a single project, allowing you to easily create different packages from a single source, customized for your various deployment scenarios.

Support for the JRockit JRE, a Browse for File predefined custom action, together with countless other enhancements and bug fixes wrap up another milestone release of the flagship Windows Installer authoring tool, Advanced Installer.

Caphyon Website

You can order Advanced Installer via InstallSite

Doubts about yet another FLEXnet Connect/InstallShield Update Service vulnerability report

On June 4th TippingPoint, a provider of network-based intrusion prevention systems, reported a new buffer overflow vulnerability that affects Macrovision FLEXnet Connect version 6 and InstallShield Update Service versions 3-5.

TippingPoint Vulnerability Report

What puzzles me is the CLSID of the vulnerable ActiveX control: 85A4A99C-8C3D-499E-A386-E0743DFF8FB7. I couldn't find this CLSID in my registry. But instead I found reports which associate this CLSID with a vulnerable Yahoo Mesenger ActiveX control: US-CERT Vulnerability Note VU#388377

According to the TippingPoint review the vulnerable ActiveX control is in the file boisweb.dll. I don't have this file on my computer either, and I've never seen such a file. Searching the web for this file name found many copies and quotes of this vulnerability report, but nothing else.

This really makes me wonder how reliable this report from TippingPoint is. But they say you should be safe if you install the latest version of the FLEXnet Connect SDK which you should do anyway to address the other vulnerability.

Update on the FLEXnet Connect/InstallShield Update Service vulnerability

While doing some research on the security vulnerability in FLEXnet Connect and InstallShield Update Service I checked several versions of the agent.exe redistributable and it seems that it's using different CLSIDs in each release. The US-CERT advisory recommends setting the kill-bit for the control. But since its CLSID keeps changing this is quite difficult. The CLSID listed in the US-CERT article appears to apply only to the latest (= fixed) version. So (unless I'm mistaken, which is quite possible) the kill-bit workaround from US-CERT will NOT work and you are still vulnerable.

Security vulnerability in FLEXnet Connect/InstallShield Update Service end user ActiveX control (reported May 31, 2007)

The United States Computer Emergency Readiness Team (US-CERT) reports a newly found security vulnerability in Macrovision's FLEXnet Connect. It also affects end user machines where the update agent has been installed, which many setups created with InstallShield do by default.

FLEXnet Connect includes an ActiveX control called DWUpdateService, which is provided by the file agent.exe. This ActiveX control fails to restrict access to its methods, which can allow a remote, unauthenticated attacker to execute arbitrary commands on a vulnerable system.

US-CERT Vulnerability Note VU#524681

Reportedly the vulnerability affects FLEXnet Connect 6.0 and InstallShield Update Service 3.x to 5.x. Macrovision released an update for this file, which had previously been affected by another vulnerability (US-CERT VU#847993):

FLEXnet Connect 6.0 Security Patch

If you are using the affected products, you should install the update and also deploy it to your customer base as soon as possible.