lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <000001d5ee50$3ccd9cc0$b668d640$@acm.org> Date: Fri, 28 Feb 2020 08:00:45 -0800 From: "Dennis E. Hamilton" <dennis.hamilton@....org> To: "'Stefan Kanthak'" <stefan.kanthak@...go.de>, <fulldisclosure@...lists.org> Cc: bugtraq@...urityfocus.com Subject: Re: [FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components One correction: jsc.exe is a JavaScript command line processor. J# is not and must not be shipped in Windows. The opinion about the .NET Framework notwithstanding, the presumption that these utilities are defective because they were built with older versions of Visual C (and its libraries, presumably) does not imply existence of defects. I see third-party software that also employ older redistributables, some back to 2005. It is an interesting questions why it is expedient to install these everywhere, whatever their vintage, just like cmd.exe. It would be valuable to know what the dependencies on these are and for whom is it convenient that they are always there. - Dennis -----Original Message----- From: Fulldisclosure <fulldisclosure-bounces@...lists.org> On Behalf Of Stefan Kanthak Sent: Monday, February 24, 2020 09:06 To: fulldisclosure@...lists.org Cc: bugtraq@...urityfocus.com Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components Hi @ll, since Microsoft Server 2003 R2, Microsoft dares to ship and install the abomination known as .NET Framework with every new version of Windows. Among other components current versions of Windows and .NET Framework include C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe) J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe) VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe) resource converter (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe) IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe) assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe) Microsoft builds (not just) these programs with Visual C 2005, an UNSUPPORTED product that reached its end-of-life on 2016-04-12: see <https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%20200 5> Of course these programs are linked to the equally UNSUPPORTED Visual C 2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft but nevertheless still dares to ship as side-by-side component: [ ... ] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists