lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3BAF21D857FE48E3A64D147997855474@localhost>
Date: Tue, 3 Jul 2012 22:12:23 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerable Microsoft VC++ 2005 runtime libraries in "Microsoft Live Meeting 2007 Client" installed in private location

Hi @ll,

the current "Microsoft Live Meeting 2007 client" (available from
<http://office.microsoft.com/en-us/help/HA101733831033.aspx>,
referenced as update in <http://support.microsoft.com/kb/2536683>,
<http://support.microsoft.com/kb/2505941>,
<http://support.microsoft.com/kb/2496882>,
<http://support.microsoft.com/kb/2433231>,
<http://support.microsoft.com/kb/2029026>,
<http://support.microsoft.com/kb/980926>,
<http://support.microsoft.com/kb/976128>,
<http://support.microsoft.com/kb/974251>,
<http://support.microsoft.com/kb/969697>,
<http://support.microsoft.com/kb/961553>,
<http://support.microsoft.com/kb/960165>,
<http://support.microsoft.com/kb/957491>,
<http://support.microsoft.com/kb/952579>,
<http://support.microsoft.com/kb/947881>,
<http://support.microsoft.com/kb/946764> and
<http://support.microsoft.com/kb/943085>)
contains and installs vulnerable and outdated MSVC++ 2005 runtime libraries
(even if newer MSVC++ runtime libraries are already present on the target
system).

Unfortunately the libraries are installed in the application's own directory,
where they are NOT detected by "Windows Update Agent" (and f^Htools like
"Secunia Personal Inspector") and are therefore NOT updated via Windows/
Microsoft update!


The problem in general is well known (<http://support.microsoft.com/kb/835322>
"Applications that bypass globally serviced side-by-side assemblies may be vulnerable to issues that are fixed by a Microsoft
software update")
but apparently the vendor doesn't seem to care!


| C:\>filever /S msvcr?80.dll
|
| c:\program files (x86)\common files\microsoft shared\livemeeting shared\msvc?80.dll
| --a-- W32i   DLL ENU   8.0.50727.762 shp    548,864 05-12-2011 msvcp80.dll
| --a-- W32i   DLL ENU   8.0.50727.762 shp    626,688 05-12-2011 msvcr80.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\msvc?80.dll
| --a-- W32i   DLL ENU   8.0.50727.762 shp    548,864 05-12-2011 msvcp80.dll
| --a-- W32i   DLL ENU   8.0.50727.762 shp    626,688 05-12-2011 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365\msvc?80.dll
| --a-- W32i   DLL ENU   8.0.50727.163 shp    479,232 11-01-2011 msvcm80.dll
| --a-- W32i   DLL ENU   8.0.50727.163 shp    548,864 11-01-2011 msvcp80.dll
| --a-- W32i   DLL ENU   8.0.50727.163 shp    626,688 11-01-2011 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvc?80.dll
| --a-- W32i   DLL ENU    8.0.50727.42 shp    479,232 10-14-2011 msvcm80.dll
| --a-- W32i   DLL ENU    8.0.50727.42 shp    548,864 10-14-2011 msvcp80.dll
| --a-- W32i   DLL ENU    8.0.50727.42 shp    626,688 10-14-2011 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvc?80.dll
| --a-- W32i   DLL ENU  8.0.50727.4940 shp    479,232 11-05-2010 msvcm80.dll
| --a-- W32i   DLL ENU  8.0.50727.4940 shp    554,832 11-05-2010 msvcp80.dll
| --a-- W32i   DLL ENU  8.0.50727.4940 shp    632,656 11-05-2010 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvc?80.dll
| --a-- W32i   DLL ENU  8.0.50727.6195 shp    479,232 06-15-2011 msvcm80.dll
| --a-- W32i   DLL ENU  8.0.50727.6195 shp    554,832 06-15-2011 msvcp80.dll
| --a-- W32i   DLL ENU  8.0.50727.6195 shp    632,656 06-15-2011 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8\msvc?80.dll
| --a-- W32i   DLL ENU   8.0.50727.762 shp    479,232 11-09-2009 msvcm80.dll
| --a-- W32i   DLL ENU   8.0.50727.762 shp    548,864 11-09-2009 msvcp80.dll
| --a-- W32i   DLL ENU   8.0.50727.762 shp    626,688 11-09-2009 msvcr80.dll


JFTR: the MSVC++ 2005 runtime libraries are NOT listed in the "file information"
section in any of the MSKB articles for the "Live Meeting 2007 client update"!


Other DLLs (which are listed in the MSKB articles, I'm using
<http://support.microsoft.com/kb/2536683> here as reference) are outdated
too:


* Saext.dll      12.0.4518.1014     291,128 12-May-11 17:54

  SAEXT.DLL 12.0 is part of various other Office 2007 components,
  its current version is but 12.0.6300.5000

| C:\>filever /S saext.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\saext.dll
| --a-- W32i   DLL   -  12.0.4518.1014 shp    291,128 05-12-2011 saext.dll
|
| c:\program files (x86)\microsoft office\office12\saext.dll
| --a-- W32i   DLL   -  12.0.6300.5000 shp    293,424 12-06-2007 saext.dll


* Ogl.dll        12.0.6420.1000   1,640,776 12-May-11 17:54

  OGL.DLL 12.0 is part of various other Office 2007 components,
  its current version is but 12.0.6604.1000

| C:\>filever /S ogl.dll
|
| c:\program files (x86)\common files\microsoft shared\office12\ogl.dll
| --a-- W32i   DLL ENU  12.0.6604.1000 shp  1,616,240 07-07-2011 ogl.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\ogl.dll
| --a-- W32i   DLL ENU  12.0.6420.1000 shp  1,640,776 05-12-2011 ogl.dll


* Msptls.dll     12.0.6421.1000     756,032 12-May-11 17:54

  MSPTLS.DLL 12.0 is part of various other Office 2007 components,
  its current version is but 12.0.6654.5000

| C:\>filever /S msptls.dll
|
| c:\program files (x86)\common files\microsoft shared\office12\msptls.dll
| --a-- W32i   DLL   -  12.0.6654.5000 shp    756,048 10-05-2011 msptls.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\msptls.dll
| --a-- W32i   DLL   -  12.0.6421.1000 shp    756,032 05-12-2011 msptls.dll


* Intldate.dll   12.0.6413.1000      79,224 12-May-11 17:54

  MSPTLS.DLL 12.0 is part of various other Office 2007 components,
  its current version is but 12.0.6500.5000

| C:\>filever /S intldate.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\intldate.dll
| --a-- W32i   DLL   -  12.0.6413.1000 shp     79,224 05-12-2011 intldate.dll
|
| c:\program files (x86)\microsoft office\office12\intldate.dll
| --a-- W32i   DLL   -  12.0.6500.5000 shp     78,208 02-25-2009 intldate.dll


* Rtyuv.dll       1.0.3656.0         30,976 12-May-11 18:18

  RTYUV.DLL 1.0 is part of "Microsoft Roundtable".


Again the developers dont follow their employers own guidelines
(see <http://msdn.microsoft.com/en-us/ms997548.aspx> for example):

| If a file is shared, but only among your applications, create a
| subfolder in the following location and store the file there:
|
| C:\Program Files\Common Files\Company Name
|
| Alternatively, for application "suite" installations where multiple
| applications are bundled together, you can create suite subfolders as
| follows:
|
| For your executable files:
|
| C:\Program Files\Suite Name
|
| For your support files shared only within the suite:
|
| C:\Program Files\Suite Name\System

but create a mess instead and place numerous copies of these (and some more)
libraries in various different locations!


Stefan Kanthak


Timeline:

2012-03-16    problem reported

2012-03-17    vendor acknowledges the report, opens MSRC case and asks for
              "responsible disclosure"

2012-03-23    vendor sends update "case manager assigned"

2012-04-09    vendor sends update "still under investigation"

2012-07-03    vendor answers "investigation complete" and acknowledges the
              facts, but will not issue an MSRC bulletin since they were
              unable to find any attack vectors

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ