lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <10CA508300E5492CB562927BBB6381A3@localhost>
Date: Thu, 9 Aug 2012 18:20:27 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: How well does Microsoft support (and follow)
	their mantra "keep your PC updated"?

Hi @ll,

for years not only Microsoft tells computer users throughout the world
"keep your PC updated" again and again.

How well does Microsoft support this mantra with their very own products?
How well does Microsoft follow this mantra in their own premises?


Short answer:
  rather poor!


Longer answer:
  (far too) many Microsoft products, their service packs and (security)
  updates/hotfixes as well include outdated, unsupported (ie. after their
  end-of-life) and even vulnerable (parts of) components that have been
  superseded long ago.


Cause:
  Microsofts developers use so called "MSI merge modules" (*.MSM) (cf.
  <http://msdn.microsoft.com/en-us/library/aa369820.aspx>) to include
  (parts of) other (shared) components in their products.

JFTR: "MSI merge modules" combine the disadvantages of static linking
and DLLs!

  Although these "MSI merge modules" are regularly updated with service
  packs and (security) updates/hotfixes for Visual Studio or their resp.
  components, Microsoft ships (far too) many products with vulnerable
  libraries which stem from outdated "MSI merge modules"!


Conclusion:
  either Microsoft doesn't update their build and production systems,
  or their developers and productions teams deliberately use outdated
  "MSI merge modules" (and most probably use and link other outdated
  libraries too) to build Microsoft products.


Result:
  Microsoft ships products with vulnerable code and puts its customers
  at risk!


Example 1:

The "Microsoft Visual C++ [2005, 2008, 2010, 2012] Runtime" libraries
(MSVC?<##>.DLL, with <##> in [80, 90, 100, 110]) alias MSVCRT and its
satellites (MFC<##>*.DLL, MFC?<##>*.DLL, ATL<##>.DLL) are included in
many products[1] and get installed even if a newer version of these
libraries is already installed on a customers system.

Cf. <http://support.microsoft.com/kb/154753> and
<http://support.microsoft.com/kb/326922> for an overview, as well as
<http://support.microsoft.com/kb/2538242/en-us>,
<http://support.microsoft.com/kb/2538243/en-us>,
<http://support.microsoft.com/kb/2467173/en-us> and
<http://support.microsoft.com/kb/2565063/en-us> for detailed partlists.


The FAQ section of
<http://technet.microsoft.com/en-us/security/bulletin/ms11-025> says:

| In the case where a system has no MFC applications currently installed
| but does have the vulnerable Visual Studio or Visual C++ runtimes
| installed, Microsoft recommends that users install this update as a
| defense-in-depth measure, in case of an attack vector being introduced
| or becoming known at a later time.

Of course the same holds for ATL applications (where MS09-035 should have
an equivalent FAQ entry) and CRT applications too.


Step 1:

   Take a look at the just released
   "Microsoft SQL Server 2008 Service Pack 2"
   <http://blogs.msdn.com/b/sqlreleaseservices/archive/2012/07/26/sql-server-2008-r2-sp2-is-now-available.aspx>
   and it's downloads,
   <http://www.microsoft.com/en-us/download/details.aspx?id=30437>
   <http://www.microsoft.com/en-us/download/details.aspx?id=30438>
   <http://www.microsoft.com/en-us/download/details.aspx?id=30440>

   From the last link, pick the SQL native client installation package
   sqlncli_{amd64,ia64,x86}.msi, download and install it.

Step 2:

   Find the directory
   "C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4027_x-ww_e69378d0\"
   with vulnerable DLLs MSVC?80.DLL v8.0.50727.4027 (this version of
   MSVC++ 2005 is pre-SP1, ie. end-of-life/out-of-service) on your
   system.

   OUCH!
   Apparently Microsoft's own recommendation is completely unknown to
   their own developers, their QA, their production team, their release
   managers, ...

   JTFR: Other parts of SQL Server 2008 SP2 contain these vulnerable
   DLLs too.

Step 3:

   Start the "software" applet from "control panel" and try to find
   the just installed (parts of) "Microsoft Visual C++ 2005 Runtime".

   It's missing!

   How should a user follow Microsoft's recommendation if s/he doesnt
   even know that there is (or are parts of) a vulnerable component
   installed?

Step 4:

   Start "Windows Update" or "Microsoft Update" and perform a "custom"
   search for updates.

   Result: no update(s) for Microsoft Visual C++ 2005 runtime libraries.

   Again: a complete waste of time, WU/MU doesnt offer the necessary
   update MS11-025, since Windows Update Agent doesnt detect the
   improperly installed MSVCRT!


Example 2:

"Microsoft Application Error Reporting Tool" alias "Dr. Watson 2.0"
(cf. <http://support.microsoft.com/kb/841477>) is part of many
products[2], included/bundled either as installable package
DW20Shared.msi or incorporated directly via its files DWDCW20.DLL,
DW20.EXE, DWTRIG20.EXE, DW20.ADM (in many languages), DWINTL20.DLL
(localized too) and MSVC?80.DLL (goto example 1).


Step 1:

   Fetch "Microsoft Security Essentials" from
   <http://windows.microsoft.com/en-US/windows/products/security-essentials>,
   and install it, or start "Microsoft Update", perform a custom search
   and install the optional update KB2691894
   <http://support.microsoft.com/kb/2691894/en-us>
   (cf. <http://support.microsoft.com/kb/2267621/en-us>).

Step 2:

   Find the directory
   "C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\"
   with vulnerable DLLs MSVC?80.DLL v8.0.50727.42 (this version is
   MSVC++ 2005 RTM, ie. end-of-life/out-of-service) on your system.

Step 3:

   Open "control panel", start the "software" applet and try to find
   the just installed component "Microsoft Application Error Reporting"
   and (parts of) the component "Microsoft Visual C++ Runtime".

   They are missing!

   How should a user follow Microsoft's recommendation if s/he doesnt
   even know that there are (parts of) vulnerable components installed?

Step 4:

   Start "Windows Update" or "Microsoft Update" and perform a "custom"
   search for updates.

   Result: no update(s) for Microsoft Visual C++ 2005 runtime libraries
   or error reporting tool.

   Again: a complete waste of time, WU/MU doesnt offer the necessary
   update MS11-025, since Windows Update Agent doesnt detect the
   improperly installed MSVCRT!


Stefan Kanthak


[1] Application Error Reporting alias Windows Error Reporting
    SQL Server 2005 and several subcomponents
    SQL Server 2008 and several subcomponents
    SQL Server 2012 and several subcomponents
    ...

[2] Windows Defender
    Security Essentials
    Forefront Security ...
    {Exchange Office Outlook OneNote Word Excel PowerPoint Publisher Project Access Visio ...} 2003
    {Exchange Office Outlook OneNote Word Excel PowerPoint Publisher Project Access Visio ...} 2007
    Office Communicator 2005
    Office Groove 2007
    Groove Server 2010
    Sharepoint Services 2.0
    Sharepoint Services 3.0
    SharePoint Designer 2007
    SharePoint Foundation 2010
    SharePoint Server 2010
    .NET Framework 2.0
    .NET Framework 3.0
    .NET Framework 3.5
    ...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ