[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3BAF21D857FE48E3A64D147997855474@localhost>
Date: Tue, 3 Jul 2012 22:12:23 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerable Microsoft VC++ 2005 runtime libraries in "Microsoft Live Meeting 2007 Client" installed in private location
Hi @ll,
the current "Microsoft Live Meeting 2007 client" (available from
<http://office.microsoft.com/en-us/help/HA101733831033.aspx>,
referenced as update in <http://support.microsoft.com/kb/2536683>,
<http://support.microsoft.com/kb/2505941>,
<http://support.microsoft.com/kb/2496882>,
<http://support.microsoft.com/kb/2433231>,
<http://support.microsoft.com/kb/2029026>,
<http://support.microsoft.com/kb/980926>,
<http://support.microsoft.com/kb/976128>,
<http://support.microsoft.com/kb/974251>,
<http://support.microsoft.com/kb/969697>,
<http://support.microsoft.com/kb/961553>,
<http://support.microsoft.com/kb/960165>,
<http://support.microsoft.com/kb/957491>,
<http://support.microsoft.com/kb/952579>,
<http://support.microsoft.com/kb/947881>,
<http://support.microsoft.com/kb/946764> and
<http://support.microsoft.com/kb/943085>)
contains and installs vulnerable and outdated MSVC++ 2005 runtime libraries
(even if newer MSVC++ runtime libraries are already present on the target
system).
Unfortunately the libraries are installed in the application's own directory,
where they are NOT detected by "Windows Update Agent" (and f^Htools like
"Secunia Personal Inspector") and are therefore NOT updated via Windows/
Microsoft update!
The problem in general is well known (<http://support.microsoft.com/kb/835322>
"Applications that bypass globally serviced side-by-side assemblies may be vulnerable to issues that are fixed by a Microsoft
software update")
but apparently the vendor doesn't seem to care!
| C:\>filever /S msvcr?80.dll
|
| c:\program files (x86)\common files\microsoft shared\livemeeting shared\msvc?80.dll
| --a-- W32i DLL ENU 8.0.50727.762 shp 548,864 05-12-2011 msvcp80.dll
| --a-- W32i DLL ENU 8.0.50727.762 shp 626,688 05-12-2011 msvcr80.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\msvc?80.dll
| --a-- W32i DLL ENU 8.0.50727.762 shp 548,864 05-12-2011 msvcp80.dll
| --a-- W32i DLL ENU 8.0.50727.762 shp 626,688 05-12-2011 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.163_none_10b3ea459bfee365\msvc?80.dll
| --a-- W32i DLL ENU 8.0.50727.163 shp 479,232 11-01-2011 msvcm80.dll
| --a-- W32i DLL ENU 8.0.50727.163 shp 548,864 11-01-2011 msvcp80.dll
| --a-- W32i DLL ENU 8.0.50727.163 shp 626,688 11-01-2011 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvc?80.dll
| --a-- W32i DLL ENU 8.0.50727.42 shp 479,232 10-14-2011 msvcm80.dll
| --a-- W32i DLL ENU 8.0.50727.42 shp 548,864 10-14-2011 msvcp80.dll
| --a-- W32i DLL ENU 8.0.50727.42 shp 626,688 10-14-2011 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvc?80.dll
| --a-- W32i DLL ENU 8.0.50727.4940 shp 479,232 11-05-2010 msvcm80.dll
| --a-- W32i DLL ENU 8.0.50727.4940 shp 554,832 11-05-2010 msvcp80.dll
| --a-- W32i DLL ENU 8.0.50727.4940 shp 632,656 11-05-2010 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\msvc?80.dll
| --a-- W32i DLL ENU 8.0.50727.6195 shp 479,232 06-15-2011 msvcm80.dll
| --a-- W32i DLL ENU 8.0.50727.6195 shp 554,832 06-15-2011 msvcp80.dll
| --a-- W32i DLL ENU 8.0.50727.6195 shp 632,656 06-15-2011 msvcr80.dll
|
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8\msvc?80.dll
| --a-- W32i DLL ENU 8.0.50727.762 shp 479,232 11-09-2009 msvcm80.dll
| --a-- W32i DLL ENU 8.0.50727.762 shp 548,864 11-09-2009 msvcp80.dll
| --a-- W32i DLL ENU 8.0.50727.762 shp 626,688 11-09-2009 msvcr80.dll
JFTR: the MSVC++ 2005 runtime libraries are NOT listed in the "file information"
section in any of the MSKB articles for the "Live Meeting 2007 client update"!
Other DLLs (which are listed in the MSKB articles, I'm using
<http://support.microsoft.com/kb/2536683> here as reference) are outdated
too:
* Saext.dll 12.0.4518.1014 291,128 12-May-11 17:54
SAEXT.DLL 12.0 is part of various other Office 2007 components,
its current version is but 12.0.6300.5000
| C:\>filever /S saext.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\saext.dll
| --a-- W32i DLL - 12.0.4518.1014 shp 291,128 05-12-2011 saext.dll
|
| c:\program files (x86)\microsoft office\office12\saext.dll
| --a-- W32i DLL - 12.0.6300.5000 shp 293,424 12-06-2007 saext.dll
* Ogl.dll 12.0.6420.1000 1,640,776 12-May-11 17:54
OGL.DLL 12.0 is part of various other Office 2007 components,
its current version is but 12.0.6604.1000
| C:\>filever /S ogl.dll
|
| c:\program files (x86)\common files\microsoft shared\office12\ogl.dll
| --a-- W32i DLL ENU 12.0.6604.1000 shp 1,616,240 07-07-2011 ogl.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\ogl.dll
| --a-- W32i DLL ENU 12.0.6420.1000 shp 1,640,776 05-12-2011 ogl.dll
* Msptls.dll 12.0.6421.1000 756,032 12-May-11 17:54
MSPTLS.DLL 12.0 is part of various other Office 2007 components,
its current version is but 12.0.6654.5000
| C:\>filever /S msptls.dll
|
| c:\program files (x86)\common files\microsoft shared\office12\msptls.dll
| --a-- W32i DLL - 12.0.6654.5000 shp 756,048 10-05-2011 msptls.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\msptls.dll
| --a-- W32i DLL - 12.0.6421.1000 shp 756,032 05-12-2011 msptls.dll
* Intldate.dll 12.0.6413.1000 79,224 12-May-11 17:54
MSPTLS.DLL 12.0 is part of various other Office 2007 components,
its current version is but 12.0.6500.5000
| C:\>filever /S intldate.dll
|
| c:\program files (x86)\microsoft office\live meeting 8\console\intldate.dll
| --a-- W32i DLL - 12.0.6413.1000 shp 79,224 05-12-2011 intldate.dll
|
| c:\program files (x86)\microsoft office\office12\intldate.dll
| --a-- W32i DLL - 12.0.6500.5000 shp 78,208 02-25-2009 intldate.dll
* Rtyuv.dll 1.0.3656.0 30,976 12-May-11 18:18
RTYUV.DLL 1.0 is part of "Microsoft Roundtable".
Again the developers dont follow their employers own guidelines
(see <http://msdn.microsoft.com/en-us/ms997548.aspx> for example):
| If a file is shared, but only among your applications, create a
| subfolder in the following location and store the file there:
|
| C:\Program Files\Common Files\Company Name
|
| Alternatively, for application "suite" installations where multiple
| applications are bundled together, you can create suite subfolders as
| follows:
|
| For your executable files:
|
| C:\Program Files\Suite Name
|
| For your support files shared only within the suite:
|
| C:\Program Files\Suite Name\System
but create a mess instead and place numerous copies of these (and some more)
libraries in various different locations!
Stefan Kanthak
Timeline:
2012-03-16 problem reported
2012-03-17 vendor acknowledges the report, opens MSRC case and asks for
"responsible disclosure"
2012-03-23 vendor sends update "case manager assigned"
2012-04-09 vendor sends update "still under investigation"
2012-07-03 vendor answers "investigation complete" and acknowledges the
facts, but will not issue an MSRC bulletin since they were
unable to find any attack vectors
Powered by blists - more mailing lists