> -----Original Message----- > From: Rob Mensching [mailto:r...@robmensching.com] > Sent: Wednesday, May 09, 2012 05:44 > To: General discussion for Windows Installer XML toolset. > Subject: Re: [WiX-users] Bundle fails on WIN2K machine ".exe is not a valid > Win32 application" > > To pass a security review at Microsoft, the VS2010 CRT must be used. The > VS2010 CRT has the latest security defenses built in. Unfortunately, the > VS2010 CRT does not run on Win2K. The bad error message actually happens > in the VS2010 CRT. Our code in Burn doesn't even have the opportunity to > load.
A simple VC2008 C program could do something like this, as a sort of bootloader-for-the-bootloader: 1. Check version of Windows. 2. If Win2000 or Win XP before SP3, throw friendly error message and exit. (maybe ShellExecute to user's default browser for Windows Update if on XP) 3. Extract the contained Burn installer (note: does not go and get from Internet!). 4. Launch the VS2010 compiled Burn. The idea is to just do a version check, and then start the real installer. Of course, newer VS versions introduce new security features so I understand and support the idea behind this policy for large applications. But this is a simple application whose scope will be very limited. I would think a very thorough code review should uncover any issues. (Besides, how are you going to attack a dumb *bootloader* like this that doesn't even communicate?) This is especially a critical point because it's the very first thing the user sees, as a "first run out-of-box" experience. A "broken" installer with an obscure error message means the user will just move on. Also, because Burn is going to be widely used within Microsoft and ISVs, this is going to be a very common problem - all the more reason to fix it. If exceptions to this rule can't be made for cases like this then I think someone up top needs their head checked. As it stands now, I guess every WiX customer who wants to address this issue is going to have to reinvent the wheel that I have just proposed, just because of this policy. > Next version will be even more interesting since last I checked VS11 CRT only > supports Win7+ (which I believe cuts support for WinXP SP3 and Vista before > they are out of service). Vista too?! That pretty much rules out every PC older than a couple years old... let's say 3 years by the time VS11 releases... unless the user upgraded from Vista to 7. That's just out of touch with reality - I know a lot of people who (1) own computers more than a couple years old, (2) don't have the money to buy a new one, (3) don't have the expertise or money to upgrade to Windows 7. People like us who are comfortable upgrading to the latest Windows operating system are the exception - not the rule. (Perhaps Apple has found the secret, with frequent easy-to-install $29 upgrades?) Most people I know don't buy new computers every couple years. That includes myself - at home, I was running Vista on both my personal laptop and desktop until earlier this year. That's because Vista was good enough and I wasn't anxious enough to spend $$$ and time reformatting to get the fancy new Windows 7 taskbar. Unfortunately, both computers experienced hard drive crashes and now I have a new Win7 laptop; the desktop hasn't been addressed yet. Had I not experienced these hardware failures, I'd likely still be running Vista when VS11 comes out. (I never really understood/understand all the hate directed against Vista, and the love directed towards Windows 7. They are very similar operating systems. I suspect Vista got an unfair bad rap because the independent hardware vendors / independent software wasn't ready yet for the big changes; by the time Win7 came around, they had their act together. I used Vista even before SP1 came out and didn't really have any big complaints.) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
