KB2918614 which is part of the August patch Tuesday is released to solve a security issue in Windows Installer. What it does is change the way that Windows Installer handles repairs and advertised shortcuts as well. The description for the update doesn’t provide that much information.
UPDATE!! a workaround is described below
This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Normally a user could repair an application from the control panel without any additional permissions but after the update is applied if you try to repair for instance Adobe Reader you will, depending on your UAC setting be prompted for credentials.
This has caused some headache for many the last weeks not just for the auto-repair but for all using Activesetup and launches a msiexec.exe command in there to apply the users settings at first logon, and for advertised shortcuts as well.
Uninstalling the update brings back the normal behavior of Windows Installer again.
UPDATE!!
Thanks to HappySCCM http://happysccm.com/kb2918614-uac-gate/ who have posted the answer from Microsoft and a valid workaround..
Below if from HappySCCM’s site!
Microsoft:
This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
Workaround if you have problems with repairing application:
==================================================
1. Uninstall the application and reinstall it with the security update installed. (sourcehash file generated with security update)2. Manually copy the sourcehash file to c:\windows\installer folder. As the sourcehash file is generated based on the application files, the sourcehash file generated on computer A can be used on computer B.
Below is a screenshot of the sourcehash file:
Just tested it and it works fine if you uninstall/install Adobe Reader again. After the installation the sourcehash file is generated and after that the repair is successful again.
Then at least newly installed computers can have the Update installed as it will not affect them.
Thanks for sharing HappySCCM!!
I just tested this out with a package I have that uses active setup to run msiexec /fup to put a file and reg key in the user profile and did not get the UAC prompt (local standard user account on Win8.1 Pro). So I’m not worrying about this for now but thanks for the heads up and I’ll keep an eye out for it!
Tested again with Windows 7 this time, self-heal, active setup, and repair via control panel all work for a standard user at my end. Interested to know how you managed to get the UAC prompt – I guess I could try Adobe Reader as pictured in the article!
Could it be that you just installed that computer/application after the update was installed.
/Jörgen
Indeed, it seems this issue only affects MSIs installed before the patch which is why I wasn’t seeing it!
No, this issue also affects MSI’s installed after the patch: I had it on my PC after I installed the patch and installed an application which needed a user-repair: bingo!