| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Feb 2020 08:00:45 -0800
From: "Dennis E. Hamilton" <dennis.hamilton@....org>
To: "'Stefan Kanthak'" <stefan.kanthak@...go.de>, <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: [FD] Defense in depth -- the Microsoft way (part 62):
Windows shipped with end-of-life components
One correction: jsc.exe is a JavaScript command line processor. J# is not
and must not be shipped in Windows.
The opinion about the .NET Framework notwithstanding, the presumption that
these utilities are defective because they were built with older versions of
Visual C (and its libraries, presumably) does not imply existence of
defects. I see third-party software that also employ older
redistributables, some back to 2005.
It is an interesting questions why it is expedient to install these
everywhere, whatever their vintage, just like cmd.exe. It would be valuable
to know what the dependencies on these are and for whom is it convenient
that they are always there.
- Dennis
-----Original Message-----
From: Fulldisclosure <fulldisclosure-bounces@...lists.org> On Behalf Of
Stefan Kanthak
Sent: Monday, February 24, 2020 09:06
To: fulldisclosure@...lists.org
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows
shipped with end-of-life components
Hi @ll,
since Microsoft Server 2003 R2, Microsoft dares to ship and install the
abomination known as .NET Framework with every new version of Windows.
Among other components current versions of Windows and .NET Framework
include
C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe)
J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe,
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe)
VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe)
resource converter
(C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe,
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe)
IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe,
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe)
assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe)
Microsoft builds (not just) these programs with Visual C 2005, an
UNSUPPORTED product that reached its end-of-life on 2016-04-12: see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%20200
5>
Of course these programs are linked to the equally UNSUPPORTED Visual C
2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft
but nevertheless still dares to ship as side-by-side component:
[ ... ]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists