lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 28 Feb 2020 08:00:45 -0800
From: "Dennis E. Hamilton" <>
To: "'Stefan Kanthak'" <>, <>
Subject: Re: [FD] Defense in depth -- the Microsoft way (part 62):
	Windows	shipped with end-of-life components

One correction: jsc.exe is a JavaScript command line processor.  J# is not
and must not be shipped in Windows.

The opinion about the .NET Framework notwithstanding, the presumption that
these utilities are defective because they were built with older versions of
Visual C (and its libraries, presumably) does not imply existence of
defects.  I see third-party software that also employ older
redistributables, some back to 2005.

It is an interesting questions why it is expedient to install these
everywhere, whatever their vintage, just like cmd.exe.  It would be valuable
to know what the dependencies on these are and for whom is it convenient
that they are always there.

 - Dennis

-----Original Message-----
From: Fulldisclosure <> On Behalf Of
Stefan Kanthak
Sent: Monday, February 24, 2020 09:06
Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows
shipped with end-of-life components

Hi @ll,

since Microsoft Server 2003 R2, Microsoft dares to ship and install the
abomination known as .NET Framework with every new version of Windows.

Among other components current versions of Windows and .NET Framework

C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe,
VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,
resource converter

IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe,
assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe)

Microsoft builds (not just) these programs with Visual C 2005, an
UNSUPPORTED product that reached its end-of-life on 2016-04-12: see

Of course these programs are linked to the equally UNSUPPORTED Visual C
2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft
but nevertheless still dares to ship as side-by-side component:

[ ... ]

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists