WiX v3.10.2 is the latest recommended maintenance release of WiX v3.10 with a series of mitigations for a serious Windows vulnerability affecting all bootstrapper bundles. We strongly recommend upgrading to WiX v3.10.2 so you can ship safe bundles.
For more information about the vulnerabilities, the mitigations, and the release, see WiX v3.10.2 released
There are two breaking changes due to this security fix:
- A bundle cannot be named Setup.exe. When an executable is named Setup.exe, Windows loads additional DLLs in an insecure manner. To prevent such a guaranteed vulnerability, Light.exe now yields an error if the bundle output is named Setup.exe. As Setup.exe might be a common file name, this breaking change is especially annoying. Unfortunately, Windows loads the additional DLLs in a way that Burn code cannot mitigate.
- The process that loads the bootstrapper application is no longer the process the user started. Attempts to use ::GetModuleFileName to locate the source media (i.e., with loose files next to the bundle .exe) will fail. A workaround is to use the new WixBundleSourceProcessPath and WixBundleSourceProcessFolder variables to find the original process. In general, this shouldn't be a serious problem--bootstrapper applications can already carry all the files they need using Payload elements.
- wix310.exe is the installer for the WiX Toolset and is required for integration into Visual Studio.
- wix310-binaries.zip contains the files that make up the WiX Toolset and is useful if you don't need Visual Studio integration -- for example, if you're just checking WiX into source control.
- wix310-debug.zip contains a reference copy of the WiX source code and symbol (.pdb) files, both of which are useful when debugging problems with WiX.
- wix310exe.zip contains the wix310.exe installer inside a .zip file, useful if your IT department prevents direct downloading of .exe files.