search menu icon-carat-right cmu-wordmark

Windows Installer Application Resiliency

Will Dormann
• CERT/CC Blog
Will Dormann

Hi, it's Will again. Recently, I was investigating the effectiveness of the workarounds for the Adobe Reader JBIG2 vulnerability, and I encountered an unexpected situation. In certain situations, the application resiliency feature of Windows Installer can actually undo some of the steps taken to mitigate a vulnerability.

Microsoft Windows Installer is a framework for packaging applications into MSI databases. One of the features of Windows Installer is something called application resiliency. If a component of an MSI-packaged application is missing, then Windows Installer may automatically reinstall the components when the application is launched. This automatic repair can be triggered in several ways, but the method of interest here is the use of an advertised shortcut. Unless an MSI is packaged with the DISABLEADVTSHORTCUTS property set, a shortcut that the installer creates will be advertised.

How does this relate to the Adobe JBIG2 vulnerability? Two of the workarounds that are listed in VU#905281 suggest to disable both the Adobe Acrobat Windows shell integration and the Adobe Acrobat indexing service filter. These workarounds involve unregistering the DLL files responsible for these features. Unregistering a DLL will remove certain registry values that tell Windows to use the component.

When Adobe Reader is installed on a Windows system, it creates two shortcuts for the application. The shortcut on the desktop is a normal non-advertised shortcut. However, the shortcut in the Start menu is an MSI-advertised shortcut. If the workarounds are in place and Adobe Reader is launched via the start menu shortcut, Windows will detect the missing registry values and trigger an MSI application resiliency repair. This repair, which happens with no additional user interaction, will re-register the Windows shell integration and indexing service DLLs, and it will also reconfigure Internet Explorer to automatically open PDF files without prompting the user! Just by launching the application, the workarounds that help protect against vulnerabilities in Adobe Reader are reverted back to the default configuration.

Any application that is packaged as an MSI has the possibility of exhibiting this behavior. To prevent this from happening, you can delete the advertised shortcut for an application and then create a normal shortcut in its place. To tell if a shortcut is advertised or not, right click on it and choose Properties. A normal shortcut will have an editable path to an application in the Target field. An advertised shortcut, however, will contain a non-editable description of the application in the Target field. By changing the type of shortcuts, you retain the same access points to the software but ensure that the workarounds to protect you from the vulnerability stay intact.

About the Author