CCMEXEC.COM – System Center blog

CCMEXEC.COM – by Jörgen Nilsson

Browsing Posts tagged Windows Installer

KB2918614 which is part of the August patch Tuesday is released to solve a security issue in Windows Installer. What it does is change the way that Windows Installer handles repairs and advertised shortcuts as well. The description for the update doesn’t provide that much information.

UPDATE!! a workaround is described below

This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

Normally a user could repair an application from the control panel without any additional permissions but after the update is applied if you try to repair for instance Adobe Reader you will, depending on your UAC setting be prompted for credentials.

UAC1This has caused some headache for many the last weeks not just for the auto-repair but for all using Activesetup and launches a msiexec.exe command in there to apply the users settings at first logon, and for advertised shortcuts as well.

Uninstalling the update brings back the normal behavior of Windows Installer again.

UPDATE!!

Thanks to HappySCCM http://happysccm.com/kb2918614-uac-gate/ who have posted the answer from Microsoft and a valid workaround..

Below if from HappySCCM’s site!

Microsoft:

This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Workaround if you have problems with repairing application:
==================================================
1. Uninstall the application and reinstall it with the security update installed. (sourcehash file generated with security update)

2. Manually copy the sourcehash file to c:\windows\installer folder. As the sourcehash file is generated based on the application files, the sourcehash file generated on computer A can be used on computer B.

Below is a screenshot of the sourcehash file:
screen

Just tested it and it works fine if you uninstall/install Adobe Reader again. After the installation the sourcehash file is generated and after that the repair is successful again.

Adobehash

Then at least newly installed computers can have the Update installed as it will not affect them.

Thanks for sharing HappySCCM!!

At TechED in Houston North America 2014 I had time to look at the Advanced Installer in the Expo Hall, I was impressed of the demo. I have always recommended Flexera AdminStudio as the tool to use for repackaging in the projects that I am involved with as this is a very powerful tool for repackaging software to Windows Installer packages/App-v packages.

Advanced Installer in the latest version looks like it could be an alternative to AdminStudio as there are many new features, App-V support, Snapshot support and so on.

I also have a feeling that many Flexera AdminStudio users, admins that do repackaging doesn’t really use all the features in AdminStudio and that Advanced Installer could be a less expensive option AdminStudio and provide enough features.

From a licensing perspective Advanced Installer is interesting as well if you are a consultant or an organization that repackages applications for customers, there is no additional license cost in the these scenarios for Advanced Installer. You can package applications using your license and selll them or give them to your customers.

If you haven’t had a look at it before more information on Advanced Installer can be found here: http://www.advancedinstaller.com/

Here is a short video on how to repackage 7-zip using Advanced Installer:

Here are some other free options, some with limited functionality, but all available out there for repackaging your applications/script or whatever teaks you are doing to .MSI:

InstEd: http://www.instedit.com/

Adminstudio Configuration Manager Edition: http://www.flexerasoftware.com/landing/adminstudio-configuration-manager-download.html

Orca (the true hardcore tool): http://www.technipages.com/download-orca-msi-editor

AdvancedInstaller free: http://www.advancedinstaller.com/download.html