Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Applications that bypass globally serviced side-by-side assemblies may be vulnerable to issues that are fixed by a Microsoft software update


View products that this article applies to.

Introduction

On Microsoft Windows Server 2003-based computers, administrators can bypass any globally updated side-by-side assemblies for a specific application. On Microsoft Windows XP-based computers, software developers and administrators can bypass any globally updated side-by-side assemblies for a specific application. However, this bypass feature may make your application vulnerable to issues that would otherwise be fixed by installing a global Microsoft software update. Therefore, we strongly recommend that software developers and administrators do not use this feature.

We do not recommend that you use side-by-side assemblies that are mixed with the DLL/COM redirection on Windows technique. See the "More Information" section for details.

↑ Back to the top


More information

A side-by-side assembly contains a collection of resources that may include one or more DLL files, windows classes, COM servers, type libraries, or interfaces. These resources are always provided together to applications. A side-by-side assembly is selected by an XML application manifest that may exist in any one of the following locations:
  • A resource in the executable file for the application.
  • A file with an ".exe.manifest" extension that is installed in the same folder as the application's executable file.
  • A setting in the Microsoft Application Compatibility database. If an application manifest is provided by the Microsoft Application Compatibility database, the manifest takes precedence over what is provided by the application.
After deployment, software developers or administrators can update assembly configuration on a per-application configuration basis by using an application configuration file. An application configuration file is a file with an ".exe.config" extension that is in the same folder as the application's executable file. An application configuration file can be used to redirect a specific application from using one version of a side-by-side assembly to using another version of the same assembly, without recompiling the application. For example, an administrator or developer can update, or "opt-in" to, an individual application to use a newer side-by-side assembly that was not forced on all applications by using a publisher policy. The newer side-by-side assembly then takes over for earlier versions of that assembly for the specified application.

Additionally, an administrator for Windows Server 2003, or an administrator or software developer for Windows XP, can bypass, or "opt-out" of, any globally updated side-by-side assemblies for a specific application, instead of removing the globally updated assembly for all applications. To do this, an administrator can update the application configuration file to include a <publisherPolicy apply="no"/> element.

To determine whether an application configuration file is being used to bypass any globally updated side-by-side assemblies for a specific application on a Windows XP-based computer, look for the <publisherPolicy apply="no"/> element in a .config file with the same file name as the application executable. For example, look for the <publisherPolicy apply="no"/> element in the Application.exe.config file to determine whether globally updated side-by-side assemblies are being bypassed for an application that uses Application.exe as its executable file. This Application.exe.config file is installed in the same location as the application's application manifest.

This feature lets software developers and administrators selectively disable a Microsoft software update for a specific application that does not work correctly when the software update is installed. (Therefore, software developers or administrators do not have to remove the software update for all applications.) However, if an application includes such a bypass, the application may be vulnerable to any issues that are fixed by the software update.

Note This bypass requires an entry in the Microsoft Application Compatibility database on Windows Server 2003-based computers. This setting can be added only by administrators or by Microsoft in a software update.

There are additional methods that the application author, or someone with control of the application directory, can bypass the global update.

Caution on using the DLL/COM redirection on Windows technique

This technique typically calls for a .local file to be deployed with the application. This requirement helps reduce application compatibility issues.

Note The .local file makes the system prefer the copy of the DLL in the application folder instead of the global copy, which may be a valuable service update. We recommend that software developers and administrators use this feature with caution, or not at all, when the application is using a side-by-side assembly.

For more information about the DLL/COM Redirection on Windows technique, visit the following Microsoft Web site:

Recommended practices for software developers who use side-by-side assemblies
  • Ship your application with an application manifest that lists the version of the side-by-side assembly that your application was built or tested with.
  • Always deploy the manifest file of the side-by-side assembly with the side-by-side DLLs, even if you choose to deploy to the application folder.
  • If you install your application on a computer that is running Microsoft Windows 2000 or earlier versions of Windows, do not ship the side-by-side assembly in your application folder to those operating systems. Instead, the side-by side assemblies should be used from the system folder.
  • Do not use the .local feature, also known as DLL/COM Redirection on Windows.
  • Do not run the LoadLibrary function on the side-by-side assembly DLLs with an explicit full path. Instead, use static linking or use the LoadLibrary function with the raw DLL file name. For example, use �Gdiplus.dll� as the file name.
For more information, visit the following Microsoft Web site:

↑ Back to the top


References

For more information about isolated applications and side-by-side assemblies, visit the following Microsoft Web site:For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates

↑ Back to the top


Keywords: kbinfo, kbtshoot, kbsecurity, kbprb, KB835322

↑ Back to the top

Article Info
Article ID : 835322
Revision : 8
Created on : 12/1/2007
Published on : 12/1/2007
Exists online : False
Views : 334