lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <C33868E26BA74A78B0A2245E4523B404@celsius>
Date: Mon, 22 Jul 2013 21:42:27 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Defense in depth -- the Microsoft way (part 4)

Hi,

Microsoft distributes (security critical) updates for Windows components
and Microsoft products installed on user systems via "Windows/Microsoft
Update" and installs them automatically.

Except in some VERY common cases...

For the incorporation of redistributable components like the MSVCRT, MFC,
ATL etc. in MSI installer packages of other (including 3rd party) products
Microsoft provides so-called "MSI merge modules" *.MSM with Visual Studio.

This is primarily a convenience for the packager/developer and the
user/consumer, since both dont have to handle the (typically larger)
standalone "redistributable packages" of the included components from
their "main" installer package.

The files included in these MSI merge modules are installed in the same
locations as their standalone "redistributable packages" do.

But... Windows Update Agent doesnt detect vulnerable/outdated files
installed via MSI merge modules: some of the meta-data which is written
by the standalone "redistributable packages" is not written by the MSI
merge modules and lets Windows Update Agent fail to detect them properly.

The result: all Windows installations where

* Microsoft products like Microsoft Security Essentials, Windows Defender,
  Forefront Security, Microsoft Office <anything>, Microsoft Sharepoint
  <anything>, Microsoft SQL Server <anything>, .NET Framework 2.0/3.0/3.5,
  which come with outdated and vulnerable MSI merge modules, are installed,

* 3rd party products like Adobe Reader/Acrobat and numerous others of
  numerous other developers/companies, which come with outdated and
  vulnerable MSI merge modules, are installed,

* the current version of the standalone "redistributable packages" of the
  resp. MSCVRT, MFC, ATL etc. are NOT installed,

are (potentially) VULNERABLE!


stay tuned
Stefan Kanthak


PS: if you want to check your own Windows installations: get FILEVER.EXE
    from <http://www.microsoft.com/en-us/download/details.aspx?id=15326>
    (the download link in <http://support.microsoft.com/kb/913111> points
    to an older version), start a command prompt and run the following
    commands:

    FILEVER.EXE /S %SystemRoot%\WinSxS\MSVC*.DLL
    FILEVER.EXE /S %SystemRoot%\WinSxS\MFC*.DLL
    FILEVER.EXE /S %SystemRoot%\WinSxS\ATL*.DLL
    FILEVER.EXE /S %SystemRoot%\WinSxS\MSDIA*.DLL
    FILEVER.EXE /S %SystemRoot%\WinSxS\VCOMP*.DLL

    FILEVER.EXE %SystemRoot%\System32\MSVC*.DLL
    FILEVER.EXE %SystemRoot%\System32\MFC*.DLL
    FILEVER.EXE %SystemRoot%\System32\ATL*.DLL
    FILEVER.EXE %SystemRoot%\System32\MSDIA*.DLL
    FILEVER.EXE %SystemRoot%\System32\VCOMP*.DLL

    FILEVER.EXE %SystemRoot%\SysNative\MSVC*.DLL    (x64 only)
    FILEVER.EXE %SystemRoot%\SysNative\MFC*.DLL     ...
    FILEVER.EXE %SystemRoot%\SysNative\ATL*.DLL     ...
    FILEVER.EXE %SystemRoot%\SysNative\MSDIA*.DLL   ...
    FILEVER.EXE %SystemRoot%\SysNative\VCOMP*.DLL   ...

    If the output shows DLLs with version numbers less than listed in
    <http://support.microsoft.com/kb/2565063>
    <http://support.microsoft.com/kb/2467173>
    <http://support.microsoft.com/kb/2538243>
    <http://support.microsoft.com/kb/2538242>
    <http://support.microsoft.com/kb/2465373>
    you should fetch the resp. "redistributable packages" and install
    them (as stated in the FAQ section of
    <http://technet.microsoft.com/security/bulletin/ms11-025>)

    Don't forget to file file bug reports against any product that
    installed the outdated DLLs.


PPS: if you find any of these DLLs in %ProgramFiles%, %ProgramFiles(x86)%
     or other locations: remove them!

     Then ask the developers/vendors who installed them there to take a
     REALLY THOROUGH look at <http://support.microsoft.com/kb/835322>!

     And don't forget to file file bug reports against any product that
     installed OUTDATED DLLs there!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ