| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <97F7F4143FF24077A341B6F2CA9098AE@W340>
Date: Sun, 21 Dec 2014 22:10:04 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: fulldisclosure@...lists.org
Subject: [FD] Defense in depth -- the Microsoft way (part 24): applications
built with SDKs may be vulnerable
Hi @ll,
in their software development kits Microsoft typically ships
Visual C++ (cross) compilers with headers and libraries,
including the MSVCRT for both static and dynamic linking.
The compiler(s) and the libraries are almost never updated (the
only update I know is <https://support.microsoft.com/kb/949408>),
not even when a vulnerability has been detected and patched;
sometimes they are even outdated when the SDK ships.
The result: applications built with the SDKs and linked against
their outdated MSVCRT may be vulnerable!
JFTR: since the standard entry points [w]mainCRTStartup() and
[w]WinMainCRTStartup() for Win32 applications as well as
_DllMainCRTStartup() for Win32 DLLs are all defined in the
MSVCRT all binaries are typically linked against it.-(
Examples:
* the .NET Framework 2.0 SDK
(see <https://www.microsoft.com/download/details.aspx?id=19988>
and <https://www.microsoft.com/download/details.aspx?id=15354>;
the english version was digitally signed on 2005-09-23 and
published a few days later), ships version 14.0.50727.42 and
8.0.50727.42 of Visual C++ 2005 and and its utilities/libraries.
Visual C++ 2005 Express edition was published around the same
date and shipped the same (versions of the) files.
The latter but receives updates per Microsoft Update, most notably
* Service Pack 1
(see <https://www.microsoft.com/download/details.aspx?id=804>),
which ships version 14.0.50727.752 and 8.0.50727.762 of most of
the files;
* MS09-035
(see <https://technet.microsoft.com/library/security/bulletin/MS09-035>
alias <https://support.microsoft.com/kb/969706>,
<https://support.microsoft.com/kb/971090> and
<https://support.microsoft.com/kb/973544>),
which updates the MSVCRT (including header files etc.) to version
8.0.50727.4053;
* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2538218> and
<https://support.microsoft.com/kb/2538242>),
which updates the MSVCRT (including header files etc.) to version
8.0.50727.6195.
* the Platform SDK for Windows Server 2003 SP1 (and R2 too)
(see <https://www.microsoft.com/download/details.aspx?id=15656>
or <https://www.microsoft.com/en-us/download/details.aspx?id=6510>)
ships versions 14.0.40310.41/14.0.30402.0 and
8.0.40310.37/8.0.40310.39/8.0.40310.29 of Visual C++ 2005 (cross)
compilers and their utilities/libraries.
See above for missing updates and security patches!
* the Windows SDK for Windows 7 and .NET Framework 3.5 SP1
(see <https://www.microsoft.com/download/details.aspx?id=3138>
or <https://www.microsoft.com/download/details.aspx?id=18950>;
digitally signed on 2009-07-15 and published about a week later)
ships version 15.0.30729.1 and 9.0.30729.1 of Visual C++ 2008 SP1
(cross) compilers and their utilities/libraries.
Visual C++ 2008 SP1 Express edition
(<http://download.microsoft.com/download/e/8/e/e8eeb394-7f42-4963-a2d8-29559b738298/VS2008ExpressWithSP1ENUX1504728.iso>)
was published around the same date and shipped the same (versions
of the) files.
The latter but receives updates per Microsoft Update, most notably
* MS09-035
(see <https://technet.microsoft.com/library/security/bulletin/MS09-035>,
alias <https://support.microsoft.com/kb/969706>,
<https://support.microsoft.com/kb/971092> and
<https://support.microsoft.com/kb/973552>),
which updates the MSVCRT (including header files etc.) to version
9.0.30729.4148;
* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>,
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2538241> and
<https://support.microsoft.com/kb/2538243>),
which updates the MSVCRT (including header files etc.) to version
9.0.30729.6191.
* the Windows SDK for Windows 7 and .NET Framework 4
(see <https://www.microsoft.com/download/details.aspx?id=8279>
or <https://www.microsoft.com/download/details.aspx?id=8442>)
ships version 16.0.40219.1 and 10.0.40219.1 of Visual C++ 2010
(cross) compilers and their utilities/libraries.
The following updates are not deployed for this SDK:
* Service Pack 1
(see https://www.microsoft.com/download/details.aspx?id=23691
or <https://support.microsoft.com/kb/983509>);
* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>,
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2565057> and
<https://support.microsoft.com/kb/2565063>),
which updates the MSVCRT (including header files etc.) to version
10.0.40219.325.
regards
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists