Applications that bypass globally serviced side-by-side assemblies may be vulnerable to issues that are fixed by a Microsoft software update

Article translations Article translations
Article ID: 835322 - View products that this article applies to.
Expand all | Collapse all

INTRODUCTION

On Microsoft Windows Server 2003-based computers, administrators can bypass any globally updated side-by-side assemblies for a specific application. On Microsoft Windows XP-based computers, software developers and administrators can bypass any globally updated side-by-side assemblies for a specific application. However, this bypass feature may make your application vulnerable to issues that would otherwise be fixed by installing a global Microsoft software update. Therefore, we strongly recommend that software developers and administrators do not use this feature.

We do not recommend that you use side-by-side assemblies that are mixed with the DLL/COM redirection on Windows technique. See the "More Information" section for details.

MORE INFORMATION

A side-by-side assembly contains a collection of resources that may include one or more DLL files, windows classes, COM servers, type libraries, or interfaces. These resources are always provided together to applications. A side-by-side assembly is selected by an XML application manifest that may exist in any one of the following locations:
  • A resource in the executable file for the application.
  • A file with an ".exe.manifest" extension that is installed in the same folder as the application's executable file.
  • A setting in the Microsoft Application Compatibility database. If an application manifest is provided by the Microsoft Application Compatibility database, the manifest takes precedence over what is provided by the application.
After deployment, software developers or administrators can update assembly configuration on a per-application configuration basis by using an application configuration file. An application configuration file is a file with an ".exe.config" extension that is in the same folder as the application's executable file. An application configuration file can be used to redirect a specific application from using one version of a side-by-side assembly to using another version of the same assembly, without recompiling the application. For example, an administrator or developer can update, or "opt-in" to, an individual application to use a newer side-by-side assembly that was not forced on all applications by using a publisher policy. The newer side-by-side assembly then takes over for earlier versions of that assembly for the specified application.

Additionally, an administrator for Windows Server 2003, or an administrator or software developer for Windows XP, can bypass, or "opt-out" of, any globally updated side-by-side assemblies for a specific application, instead of removing the globally updated assembly for all applications. To do this, an administrator can update the application configuration file to include a <publisherPolicy apply="no"/> element.

To determine whether an application configuration file is being used to bypass any globally updated side-by-side assemblies for a specific application on a Windows XP-based computer, look for the <publisherPolicy apply="no"/> element in a .config file with the same file name as the application executable. For example, look for the <publisherPolicy apply="no"/> element in the Application.exe.config file to determine whether globally updated side-by-side assemblies are being bypassed for an application that uses Application.exe as its executable file. This Application.exe.config file is installed in the same location as the application's application manifest.

This feature lets software developers and administrators selectively disable a Microsoft software update for a specific application that does not work correctly when the software update is installed. (Therefore, software developers or administrators do not have to remove the software update for all applications.) However, if an application includes such a bypass, the application may be vulnerable to any issues that are fixed by the software update.

Note This bypass requires an entry in the Microsoft Application Compatibility database on Windows Server 2003-based computers. This setting can be added only by administrators or by Microsoft in a software update.

There are additional methods that the application author, or someone with control of the application directory, can bypass the global update.

Caution on using the DLL/COM redirection on Windows technique

This technique typically calls for a .local file to be deployed with the application. This requirement helps reduce application compatibility issues.

Note The .local file makes the system prefer the copy of the DLL in the application folder instead of the global copy, which may be a valuable service update. We recommend that software developers and administrators use this feature with caution, or not at all, when the application is using a side-by-side assembly.

For more information about the DLL/COM Redirection on Windows technique, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa375142.aspx


Recommended practices for software developers who use side-by-side assemblies
  • Ship your application with an application manifest that lists the version of the side-by-side assembly that your application was built or tested with.
  • Always deploy the manifest file of the side-by-side assembly with the side-by-side DLLs, even if you choose to deploy to the application folder.
  • If you install your application on a computer that is running Microsoft Windows 2000 or earlier versions of Windows, do not ship the side-by-side assembly in your application folder to those operating systems. Instead, the side-by side assemblies should be used from the system folder.
  • Do not use the .local feature, also known as DLL/COM Redirection on Windows.
  • Do not run the LoadLibrary function on the side-by-side assembly DLLs with an explicit full path. Instead, use static linking or use the LoadLibrary function with the raw DLL file name. For example, use “Gdiplus.dll” as the file name.
For more information, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms997620.aspx

REFERENCES

For more information about isolated applications and side-by-side assemblies, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/aa375193.aspx
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

Properties

Article ID: 835322 - Last Review: December 1, 2007 - Revision: 4.4
APPLIES TO
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional x64 Edition
Keywords: 
kbinfo kbtshoot kbsecurity kbprb KB835322

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com