New update available: Detours Library fix for Microsoft Application Virtualization


NOTE There was a previous issue where the update below failed to install for App-V 4.6 SP3. This problem has been fixed. The KB article and associated files have been updated and republished.

=====

A new hotfix is now available that fixes vulnerabilities in the Detours Library that is used by Microsoft Application Virtualization (App-V). The following versions are affected:

  • App-V 5.1
  • App-V 5.0 Service Pack 3 (SP3)
  • App-V 4.6 SP3
  • App-V 4.5 SP2

This vulnerability could allow an attacker to bypass Address Space Layout Randomization (ASLR) and therefore bypass a product's "hooks" by calling directly to the code stub. An attacker could install replacement code stubs that could view, create, change, or delete data.

For complete details on this update, including download and installation instructions, please see the following:

 

3172672 - Detours Library fix for Microsoft Application Virtualization (https://support.microsoft.com/en-us/kb/3172672)

 

J.C. Hornbeck, Solution Asset PM
Microsoft Enterprise Cloud Group


Comments (6)

  1. Martijn Kools says:

    Seems like this update breaks driver signing for the sft*.sys driver files for App-V 4.6. After installation the sftvol and sftplay services are refusing to start: Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged.

    Any idea?

    1. Martijn Kools says:

      To add to this it seems like the patched sysfiles are lacking digital signature and are signed by sometihing like CoreXX valid to 2099. Normally the files are signed by Microsoft code Signing PCA.

  2. Martijn Kools says:

    I've tested a clean 2008 R2 install with this patch, The App-V 4.6 client service doesn't start because the drivers are unsigned. The drivers are signed by CoreXT for which the certificates are missing. Installing the cert in the root store doesn't fix this issue.

    For anyone wanting to download this skip this patch for 4.6!!

  3. Just an FYI that we're aware of a problem with the update for App-V 4.6 SP3. We have found the issue and are working on a fix. We’ll replace the binaries for the 4.6 SP3 patch and re-issue the KB with the updated file information as soon as it is available.

  4. henry says:

    this and other hotfixes do not apply on Windows 10 Anniversary Edition which comes with the built-in App-v client (v5.2). Will hotfixes for that version be made available for download?

  5. pisboi says:

    For 4.6, does this update replace Hotfix 4, or do we need to install Hotfix 4 and then install this update to have the latest and greatest version?

Skip to main content