DLL Redirection Attack: How is this one different?

[mjcavallari]

It has been recently announced that WiX is vulnerable to DLL redirection attacks, allowing privilege escalation when a bundle is run unelevated. Consumers need to move to the latest patched versions. My question is: How is this change different than the one addressed some time ago for what looks like the same issue? Specifically, is it all bundles that kick off unelevated, or only ones that do a certain in a certain way?

I am hopeful that the clarification here can help me limit down the affected scope of previously built bundles that need to be serviced. I apologize if I got some terms\understandings incorrect.

[robmen]

We haven't released specific details as Windows is still reviewing the MSRC. We decided to release our fix with fewer details because the issue was initially reported in a public forum (instead of properly opening a security advisory). That forced us to respond more quickly than we'd prefer (aka: faster than Windows could complete their review).

This attack vector is a novel exploit of Windows. It is not mitigated by the previous defenses we've added to Burn. The end result is essentially identical to those attacks, though. An attacker can use an elevating executable to get malicious code running elevated.

Note: This attack vector is not unique to installers, although we are a popular initial target. In a few weeks (after Windows has time to address the issue), I hope to do a detailed breakdown of how any executable that elevates can be attacked with this method.