Bug or Feature? KB2918614 Alters Windows Installer Behavior

After applying KB2918614 from the list of August Patch Tuesday updates, and then attempting to repair an application, you will notice a definite change in how Windows Installer works.

The intent of KB2918614 is to better secure against hackers having access to the Windows Installer engine, and the security bulletin description notes a change in how the Windows Installer service works for application repairs:

This security update resolves a privately disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application that attempts to repair a previously-installed application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

What the security bulletin doesn't say is that the change in Windows Installer repair operations means that application repair attempts will be met with a User Account Control credential window each time. However, the credentials required are administrator access.

Many companies are finding this change hugely problematic, requiring administrator access just to do a simple repair. Uninstalling the update places the Windows Installer service back to its original design, but also leaves it vulnerable to the reported security issue.