lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [day] [month] [year] [list]
Date: Mon, 24 Feb 2020 18:05:58 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <fulldisclosure@...lists.org>
Cc: <bugtraq@...urityfocus.com>
Subject: Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components

Hi @ll,

since Microsoft Server 2003 R2, Microsoft dares to ship and install the
abomination known as .NET Framework with every new version of Windows.

Among other components current versions of Windows and .NET Framework
include

C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe)
J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe)
VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe)
resource converter (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe,
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe)
IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe,
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe)
assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe)

Microsoft builds (not just) these programs with Visual C 2005, an
UNSUPPORTED product that reached its end-of-life on 2016-04-12: see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%202005>

Of course these programs are linked to the equally UNSUPPORTED Visual C
2005 runtime that also reached its end-of-life 2016-04-12, which
Microsoft but nevertheless still dares to ship as side-by-side component:

Windows 10 1909

C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9659_none_88dfc6bf2faefcc6\MSVCR80.dll
C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9659_none_88dfc6bf2faefcc6\MSVCR80.dll

Windows 7 SP1, with Microsoft Security Essentials installed

C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcm80.dll
C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcp80.dll
C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcm80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcp80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcr80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcm80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcp80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll


The latest security update for the Visual C++ runtime was published
2011-06-04 and updated the version to 8.0.50727.6195: see
<https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi>

The FAQ section of
<http://technet.microsoft.com/en-us/security/bulletin/ms11-025> says:

| In the case where a system has no MFC applications currently installed
| but does have the vulnerable Visual Studio or Visual C++ runtimes
| installed, Microsoft recommends that users install this update as a
| defense-in-depth measure, in case of an attack vector being introduced
| or becoming known at a later time.

Microsoft ships VULNERABLE components with .NET Framework and Windows, then
recommends that their unsuspecting users update them, but fails to update
their crap themselses!
In other words: "quod licet jovi non licet bovi"!

JFTR: another highlight (really: a BLATANT lie) from
      <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> is:

| Recommendation. The majority of customers have automatic updating enabled
| and will not need to take any action because this security update will be
| downloaded and installed automatically.

NO, Windows Update does NOT update the OUTDATED and VULNERABLE Visual C++
runtime shipped with .NET Framework in Windows 7!

The previous security update was published 2009-07-28 and updated
the version to 8.0.50727.4053: see
<https://support.microsoft.com/en-us/help/973544> plus
<https://support.microsoft.com/en-gb/help/969706/ms09-035-vulnerabilities-in-visual-studio-active-template-libraries-co>

Of course the statement from the FAQ section of MS11-025 holds for ATL
applications (where MS09-035 should have an equivalent FAQ entry) and
CRT applications too!

Additionally see the MSKB article
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>
which does NOT even list the MSVCRT 2005 any more!


stay tuned, and FAR AWAY from untrustworthy and insecure software like .NET Framework and Windows 7
Stefan Kanthak

PS: <https://msdn.microsoft.com/en-us/vstudio/bb188593.aspx> shows
    2017-10-10 as EOL for the separate J# redistributable package.

Powered by blists - more mailing lists