As planned, today we discussed the latest WiX v3 security release release, or, less confusingly, the release of the latest WiX v3 security release. But first...
Issue triage
WIX installer no longer asks for elevation on start after WiX Toolset upgrade from 3.10 to 3.11, from @VladimirArustamian, suggests that in WiX v3.10.0, Burn bundles elevated on launch but no longer do in WiX v3.11. As proper elevation was an important design goal of Burn, it's never launched elevated -- doing so means your bundle UI is elevated and simple things opening a license or privacy policy launches your browser elevated. And that's one of the last things you want to be running elevated. Plus, it exposes you to another vulnerability (see below).
Unable to cast transparent proxy to type 'WixExtensionValidator' 3.11, from @arparadhya, reports a problem using Visual Studio integration in Visual Studio 2017. It's not a problem we've seen before so, we asked for some additional details in hopes of narrowing down a cause.
Security release release
Ahead of schedule, on Saturday 18-November, Rob released the fix for the elevated bundle vulnerability we discussed last meeting. Ad-hoc testing across a few OSes didn't reveal any issues and proved the fix was taking effect. We got a few similar reports of success on the wix-devs mailing list. So today Rob posed the question of when we should ship the release as the new stable releases. I suggested we throw caution to the wind and do so immediately. Cooler heads suggested we more widely announce the build as the release candidate to get more input. So here's one announcement: