> -----Original Message-----
> From: Rob Mensching [mailto:r...@robmensching.com]
> Sent: Wednesday, May 09, 2012 05:44
> To: General discussion for Windows Installer XML toolset.
> Subject: Re: [WiX-users] Bundle fails on WIN2K machine ".exe is not a
valid
> Win32 application"
> 
> To pass a security review at Microsoft, the VS2010 CRT must be used. The
> VS2010 CRT has the latest security defenses built in. Unfortunately, the
> VS2010 CRT does not run on Win2K.  The bad error message actually happens
> in the VS2010 CRT. Our code in Burn doesn't even have the opportunity to
> load.

A simple VC2008 C program could do something like this, as a sort of
bootloader-for-the-bootloader:

1.  Check version of Windows.
2.  If Win2000 or Win XP before SP3, throw friendly error message and exit.
(maybe ShellExecute to user's default browser for Windows Update if on XP)
3.  Extract the contained Burn installer (note: does not go and get from
Internet!).
4.  Launch the VS2010 compiled Burn.

The idea is to just do a version check, and then start the real installer.

Of course, newer VS versions introduce new security features so I understand
and support the idea behind this policy for large applications.  But this is
a simple application whose scope will be very limited.  I would think a very
thorough code review should uncover any issues.  (Besides, how are you going
to attack a dumb *bootloader* like this that doesn't even communicate?)
This is especially a critical point because it's the very first thing the
user sees, as a "first run out-of-box" experience.  A "broken" installer
with an obscure error message means the user will just move on.  Also,
because Burn is going to be widely used within Microsoft and ISVs, this is
going to be a very common problem - all the more reason to fix it.

If exceptions to this rule can't be made for cases like this then I think
someone up top needs their head checked.  As it stands now, I guess every
WiX customer who wants to address this issue is going to have to reinvent
the wheel that I have just proposed, just because of this policy.

> Next version will be even more interesting since last I checked VS11 CRT
only
> supports Win7+ (which I believe cuts support for WinXP SP3 and Vista
before
> they are out of service).

Vista too?!  That pretty much rules out every PC older than a couple years
old... let's say 3 years by the time VS11 releases... unless the user
upgraded from Vista to 7.  That's just out of touch with reality - I know a
lot of people who (1) own computers more than a couple years old, (2) don't
have the money to buy a new one, (3) don't have the expertise or money to
upgrade to Windows 7.  People like us who are comfortable upgrading to the
latest Windows operating system are the exception - not the rule.  (Perhaps
Apple has found the secret, with frequent easy-to-install $29 upgrades?)

Most people I know don't buy new computers every couple years.  That
includes myself - at home, I was running Vista on both my personal laptop
and desktop until earlier this year.  That's because Vista was good enough
and I wasn't anxious enough to spend $$$ and time reformatting to get the
fancy new Windows 7 taskbar.  Unfortunately, both computers experienced hard
drive crashes and now I have a new Win7 laptop; the desktop hasn't been
addressed yet.  Had I not experienced these hardware failures, I'd likely
still be running Vista when VS11 comes out.

(I never really understood/understand all the hate directed against Vista,
and the love directed towards Windows 7.  They are very similar operating
systems.  I suspect Vista got an unfair bad rap because the independent
hardware vendors / independent software wasn't ready yet for the big
changes; by the time Win7 came around, they had their act together.  I used
Vista even before SP1 came out and didn't really have any big complaints.) 


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users

Reply via email to