lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 28 Feb 2020 08:00:45 -0800
From: "Dennis E. Hamilton" <dennis.hamilton@....org>
To: "'Stefan Kanthak'" <stefan.kanthak@...go.de>, <fulldisclosure@...lists.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: [FD] Defense in depth -- the Microsoft way (part 62):
	Windows	shipped with end-of-life components

One correction: jsc.exe is a JavaScript command line processor.  J# is not
and must not be shipped in Windows.

The opinion about the .NET Framework notwithstanding, the presumption that
these utilities are defective because they were built with older versions of
Visual C (and its libraries, presumably) does not imply existence of
defects.  I see third-party software that also employ older
redistributables, some back to 2005.

It is an interesting questions why it is expedient to install these
everywhere, whatever their vintage, just like cmd.exe.  It would be valuable
to know what the dependencies on these are and for whom is it convenient
that they are always there.

 - Dennis

-----Original Message-----
From: Fulldisclosure <fulldisclosure-bounces@...lists.org> On Behalf Of
Stefan Kanthak
Sent: Monday, February 24, 2020 09:06
To: fulldisclosure@...lists.org
Cc: bugtraq@...urityfocus.com
Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows
shipped with end-of-life components

Hi @ll,

since Microsoft Server 2003 R2, Microsoft dares to ship and install the
abomination known as .NET Framework with every new version of Windows.

Among other components current versions of Windows and .NET Framework
include

C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe)
J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe)
VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe)
resource converter
(C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe,

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe)
IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe,
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe)
assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe)

Microsoft builds (not just) these programs with Visual C 2005, an
UNSUPPORTED product that reached its end-of-life on 2016-04-12: see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%20200
5>

Of course these programs are linked to the equally UNSUPPORTED Visual C
2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft
but nevertheless still dares to ship as side-by-side component:

[ ... ]



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists