lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <12B924AD3DF64E2CA4EF968C8A8BB367@H270> Date: Fri, 28 Feb 2020 18:25:48 +0100 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <dennis.hamilton@....org>, <fulldisclosure@...lists.org> Cc: bugtraq@...urityfocus.com Subject: Re: [FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components "Dennis E. Hamilton" <dennis.hamilton@....org> wrote: > One correction: jsc.exe is a JavaScript command line processor. J# is not > and must not be shipped in Windows. > > The opinion about the .NET Framework notwithstanding, the presumption that > these utilities are defective because they were built with older versions of > Visual C (and its libraries, presumably) does not imply existence of > defects. These utilities are just the anchor; the very point is that Microsoft ships SUPERCEEDED and VULNERABLE versions of the Visual C++ 2005 runtime with (certain versions) of Windows and other products, against their own recommendation: | In the case where a system has no MFC applications currently installed | but does have the vulnerable Visual Studio or Visual C++ runtimes | installed, Microsoft recommends that users install this update as a | defense-in-depth measure, in case of an attack vector being introduced | or becoming known at a later time. > I see third-party software that also employ older redistributables, > some back to 2005. "Same old sin"! This does neither justify Microsoft's nor the 3rd parties BAD behaviour, which puts users/customers at risk! And the arguement is NOT about "older" components, but either end-of-life or superceeded components: the former may have unknown or unpublished vulnerabilities, while the latter have known and published vulnerabilities. JFTR: the MSVCRT shipped with Windows 7 is in the latter category! Not only Microsoft repeats the mantra "keep your software up-to-date" over and over again, but doesn't live it! > It is an interesting questions why it is expedient to install these > everywhere, whatever their vintage, just like cmd.exe. It would be valuable > to know what the dependencies on these are and for whom is it convenient > that they are always there. That's just the icing on the cake. stay tuned Stefan > -----Original Message----- > From: Fulldisclosure <fulldisclosure-bounces@...lists.org> On Behalf Of > Stefan Kanthak > Sent: Monday, February 24, 2020 09:06 > To: fulldisclosure@...lists.org > Cc: bugtraq@...urityfocus.com > Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows > shipped with end-of-life components > > Hi @ll, > > since Microsoft Server 2003 R2, Microsoft dares to ship and install the > abomination known as .NET Framework with every new version of Windows. > > Among other components current versions of Windows and .NET Framework > include > > C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe) > J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe, > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe) > VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe) > resource converter > (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, > > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe) > IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe, > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe) > assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe) > > Microsoft builds (not just) these programs with Visual C 2005, an > UNSUPPORTED product that reached its end-of-life on 2016-04-12: see > <https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%20200 > 5> > > Of course these programs are linked to the equally UNSUPPORTED Visual C > 2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft > but nevertheless still dares to ship as side-by-side component: > > [ ... ] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists