New update available: Detours Library fix for Microsoft Application Virtualization

  • Article

NOTE There was a previous issue where the update below failed to install for App-V 4.6 SP3. This problem has been fixed. The KB article and associated files have been updated and republished.

=====

A new hotfix is now available that fixes vulnerabilities in the Detours Library that is used by Microsoft Application Virtualization (App-V). The following versions are affected:

  • App-V 5.1
  • App-V 5.0 Service Pack 3 (SP3)
  • App-V 4.6 SP3
  • App-V 4.5 SP2

This vulnerability could allow an attacker to bypass Address Space Layout Randomization (ASLR) and therefore bypass a product's "hooks" by calling directly to the code stub. An attacker could install replacement code stubs that could view, create, change, or delete data.

For complete details on this update, including download and installation instructions, please see the following:

 

3172672 - Detours Library fix for Microsoft Application Virtualization (https://support.microsoft.com/en-us/kb/3172672)

 

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group

Comments

  • Anonymous
    September 19, 2016
    Seems like this update breaks driver signing for the sft*.sys driver files for App-V 4.6. After installation the sftvol and sftplay services are refusing to start: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged.Any idea?
    • Anonymous
      September 19, 2016
      To add to this it seems like the patched sysfiles are lacking digital signature and are signed by sometihing like CoreXX valid to 2099. Normally the files are signed by Microsoft code Signing PCA.
  • Anonymous
    September 20, 2016
    I've tested a clean 2008 R2 install with this patch, The App-V 4.6 client service doesn't start because the drivers are unsigned. The drivers are signed by CoreXT for which the certificates are missing. Installing the cert in the root store doesn't fix this issue.For anyone wanting to download this skip this patch for 4.6!!
  • Anonymous
    September 22, 2016
    Just an FYI that we're aware of a problem with the update for App-V 4.6 SP3. We have found the issue and are working on a fix. We’ll replace the binaries for the 4.6 SP3 patch and re-issue the KB with the updated file information as soon as it is available.
  • Anonymous
    September 22, 2016
    this and other hotfixes do not apply on Windows 10 Anniversary Edition which comes with the built-in App-v client (v5.2). Will hotfixes for that version be made available for download?
  • Anonymous
    November 21, 2016
    For 4.6, does this update replace Hotfix 4, or do we need to install Hotfix 4 and then install this update to have the latest and greatest version?