lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 11 Aug 2012 22:42:16 +0200
From: "Thomas D." <whistl0r@...glemail.com>
To: bugtraq@...urityfocus.com
Subject: Re: How well does Microsoft support (and follow) their mantra "keep
 your PC updated"?

Hi,

I am not sure if I got your point.

First, winsxs is Microsoft's Windows file repository. Every part of
Windows is splitted into components and packages. Every package will be
copied into the winsxs folder.

But the content of the winsxs folder doesn't represent the currently
installed features. So for example you could have the IIS package in
winsxs, but IIS isn't currently installed on your system.
But if you would install IIS now, you won't be prompted for a Windows
installation media, because the package is already in the winsxs folder.

Same applies to updates:
If a new version of a package becomes available (Hotfix, Security Update
or just a normal update), Windows will copy the new package into the
winsxs folder, next to the already existing older version of the
package. This will let the winsxs folder grow, but will also make sure
that you are able to remove *every* package at *every* time you want,
because you are able to reinstall the previous version.

I hope this was clear and nothing new for you. So what's your point?
What's wrong when multiple versions of the Visual C++ runtimes are
present in the winsxs folder? Nothing.
It is only important which version is marked as active.

I agree with you:
It is not nice, to ship installers with outdated components installer.
But it wouldn't be better to release an updated installer every 2
month... So if Microsoft (or any other company) will ship a new program
today, it should be bundled with the latest version of the component
they are using, because if I haven't installed this component at the
moment, I don't want to be vulnerable *after* I install a new product
(BTW: Did you ever noticed the end of the Office installation? Microsoft
is prompting you to visit Windows updates, just because they know that
they will have installed a product/components, which are already out of
date).
>From my experience, Windows Updates is keeping my Windows components
like Visual C++ runtimes up to date:

<http://f.666kb.com/i/c6auyx3go8yvhktuo.jpg>

So if you noticed an undetected old version, this is a bug and should be
reported to Microsoft. They often re-release Windows Updates because of
wrong/improved detections.

Regarding VC++ 2005 is end of life:
If you are expecting, that programs compiled against a specific runtime
version will be recompiled, just because the runtime is end of life, you
are wrong and - from my point of view - have not understand how runtimes
will be used and why it isn't really a risk.

But as I said in the beginning, maybe I didn't get your point.


-- 
Regards,
Thomas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ