[<prev] [next>] [day] [month] [year] [list]
Message-ID: <10CA508300E5492CB562927BBB6381A3@localhost>
Date: Thu, 9 Aug 2012 18:20:27 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: How well does Microsoft support (and follow)
their mantra "keep your PC updated"?
Hi @ll,
for years not only Microsoft tells computer users throughout the world
"keep your PC updated" again and again.
How well does Microsoft support this mantra with their very own products?
How well does Microsoft follow this mantra in their own premises?
Short answer:
rather poor!
Longer answer:
(far too) many Microsoft products, their service packs and (security)
updates/hotfixes as well include outdated, unsupported (ie. after their
end-of-life) and even vulnerable (parts of) components that have been
superseded long ago.
Cause:
Microsofts developers use so called "MSI merge modules" (*.MSM) (cf.
<http://msdn.microsoft.com/en-us/library/aa369820.aspx>) to include
(parts of) other (shared) components in their products.
JFTR: "MSI merge modules" combine the disadvantages of static linking
and DLLs!
Although these "MSI merge modules" are regularly updated with service
packs and (security) updates/hotfixes for Visual Studio or their resp.
components, Microsoft ships (far too) many products with vulnerable
libraries which stem from outdated "MSI merge modules"!
Conclusion:
either Microsoft doesn't update their build and production systems,
or their developers and productions teams deliberately use outdated
"MSI merge modules" (and most probably use and link other outdated
libraries too) to build Microsoft products.
Result:
Microsoft ships products with vulnerable code and puts its customers
at risk!
Example 1:
The "Microsoft Visual C++ [2005, 2008, 2010, 2012] Runtime" libraries
(MSVC?<##>.DLL, with <##> in [80, 90, 100, 110]) alias MSVCRT and its
satellites (MFC<##>*.DLL, MFC?<##>*.DLL, ATL<##>.DLL) are included in
many products[1] and get installed even if a newer version of these
libraries is already installed on a customers system.
Cf. <http://support.microsoft.com/kb/154753> and
<http://support.microsoft.com/kb/326922> for an overview, as well as
<http://support.microsoft.com/kb/2538242/en-us>,
<http://support.microsoft.com/kb/2538243/en-us>,
<http://support.microsoft.com/kb/2467173/en-us> and
<http://support.microsoft.com/kb/2565063/en-us> for detailed partlists.
The FAQ section of
<http://technet.microsoft.com/en-us/security/bulletin/ms11-025> says:
| In the case where a system has no MFC applications currently installed
| but does have the vulnerable Visual Studio or Visual C++ runtimes
| installed, Microsoft recommends that users install this update as a
| defense-in-depth measure, in case of an attack vector being introduced
| or becoming known at a later time.
Of course the same holds for ATL applications (where MS09-035 should have
an equivalent FAQ entry) and CRT applications too.
Step 1:
Take a look at the just released
"Microsoft SQL Server 2008 Service Pack 2"
<http://blogs.msdn.com/b/sqlreleaseservices/archive/2012/07/26/sql-server-2008-r2-sp2-is-now-available.aspx>
and it's downloads,
<http://www.microsoft.com/en-us/download/details.aspx?id=30437>
<http://www.microsoft.com/en-us/download/details.aspx?id=30438>
<http://www.microsoft.com/en-us/download/details.aspx?id=30440>
From the last link, pick the SQL native client installation package
sqlncli_{amd64,ia64,x86}.msi, download and install it.
Step 2:
Find the directory
"C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4027_x-ww_e69378d0\"
with vulnerable DLLs MSVC?80.DLL v8.0.50727.4027 (this version of
MSVC++ 2005 is pre-SP1, ie. end-of-life/out-of-service) on your
system.
OUCH!
Apparently Microsoft's own recommendation is completely unknown to
their own developers, their QA, their production team, their release
managers, ...
JTFR: Other parts of SQL Server 2008 SP2 contain these vulnerable
DLLs too.
Step 3:
Start the "software" applet from "control panel" and try to find
the just installed (parts of) "Microsoft Visual C++ 2005 Runtime".
It's missing!
How should a user follow Microsoft's recommendation if s/he doesnt
even know that there is (or are parts of) a vulnerable component
installed?
Step 4:
Start "Windows Update" or "Microsoft Update" and perform a "custom"
search for updates.
Result: no update(s) for Microsoft Visual C++ 2005 runtime libraries.
Again: a complete waste of time, WU/MU doesnt offer the necessary
update MS11-025, since Windows Update Agent doesnt detect the
improperly installed MSVCRT!
Example 2:
"Microsoft Application Error Reporting Tool" alias "Dr. Watson 2.0"
(cf. <http://support.microsoft.com/kb/841477>) is part of many
products[2], included/bundled either as installable package
DW20Shared.msi or incorporated directly via its files DWDCW20.DLL,
DW20.EXE, DWTRIG20.EXE, DW20.ADM (in many languages), DWINTL20.DLL
(localized too) and MSVC?80.DLL (goto example 1).
Step 1:
Fetch "Microsoft Security Essentials" from
<http://windows.microsoft.com/en-US/windows/products/security-essentials>,
and install it, or start "Microsoft Update", perform a custom search
and install the optional update KB2691894
<http://support.microsoft.com/kb/2691894/en-us>
(cf. <http://support.microsoft.com/kb/2267621/en-us>).
Step 2:
Find the directory
"C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\"
with vulnerable DLLs MSVC?80.DLL v8.0.50727.42 (this version is
MSVC++ 2005 RTM, ie. end-of-life/out-of-service) on your system.
Step 3:
Open "control panel", start the "software" applet and try to find
the just installed component "Microsoft Application Error Reporting"
and (parts of) the component "Microsoft Visual C++ Runtime".
They are missing!
How should a user follow Microsoft's recommendation if s/he doesnt
even know that there are (parts of) vulnerable components installed?
Step 4:
Start "Windows Update" or "Microsoft Update" and perform a "custom"
search for updates.
Result: no update(s) for Microsoft Visual C++ 2005 runtime libraries
or error reporting tool.
Again: a complete waste of time, WU/MU doesnt offer the necessary
update MS11-025, since Windows Update Agent doesnt detect the
improperly installed MSVCRT!
Stefan Kanthak
[1] Application Error Reporting alias Windows Error Reporting
SQL Server 2005 and several subcomponents
SQL Server 2008 and several subcomponents
SQL Server 2012 and several subcomponents
...
[2] Windows Defender
Security Essentials
Forefront Security ...
{Exchange Office Outlook OneNote Word Excel PowerPoint Publisher Project Access Visio ...} 2003
{Exchange Office Outlook OneNote Word Excel PowerPoint Publisher Project Access Visio ...} 2007
Office Communicator 2005
Office Groove 2007
Groove Server 2010
Sharepoint Services 2.0
Sharepoint Services 3.0
SharePoint Designer 2007
SharePoint Foundation 2010
SharePoint Server 2010
.NET Framework 2.0
.NET Framework 3.0
.NET Framework 3.5
...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists