lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 28 Feb 2020 18:25:48 +0100
From: "Stefan Kanthak" <>
To: <>,
Subject: Re: [FD] Defense in depth -- the Microsoft way (part 62):
	Windows	shipped with end-of-life components

"Dennis E. Hamilton" <> wrote:

> One correction: jsc.exe is a JavaScript command line processor.  J# is not
> and must not be shipped in Windows.
> The opinion about the .NET Framework notwithstanding, the presumption that
> these utilities are defective because they were built with older versions of
> Visual C (and its libraries, presumably) does not imply existence of
> defects.

These utilities are just the anchor; the very point is that Microsoft ships
SUPERCEEDED and VULNERABLE versions of the Visual C++ 2005 runtime with
(certain versions) of Windows and other products, against their own

| In the case where a system has no MFC applications currently installed
| but does have the vulnerable Visual Studio or Visual C++ runtimes
| installed, Microsoft recommends that users install this update as a
| defense-in-depth measure, in case of an attack vector being introduced
| or becoming known at a later time.

> I see third-party software that also employ older redistributables,
> some back to 2005.

"Same old sin"!
This does neither justify Microsoft's nor the 3rd parties BAD behaviour,
which puts users/customers at risk!
And the arguement is NOT about "older" components, but either end-of-life
or superceeded components: the former may have unknown or unpublished
vulnerabilities, while the latter have known and published vulnerabilities.

JFTR: the MSVCRT shipped with Windows 7 is in the latter category!

Not only Microsoft repeats the mantra "keep your software up-to-date" over
and over again, but doesn't live it!

> It is an interesting questions why it is expedient to install these
> everywhere, whatever their vintage, just like cmd.exe.  It would be valuable
> to know what the dependencies on these are and for whom is it convenient
> that they are always there.

That's just the icing on the cake.

stay tuned

> -----Original Message-----
> From: Fulldisclosure <> On Behalf Of
> Stefan Kanthak
> Sent: Monday, February 24, 2020 09:06
> To:
> Cc:
> Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows
> shipped with end-of-life components
> Hi @ll,
> since Microsoft Server 2003 R2, Microsoft dares to ship and install the
> abomination known as .NET Framework with every new version of Windows.
> Among other components current versions of Windows and .NET Framework
> include
> C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
>             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe)
> J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe,
>             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe)
> VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,
>             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe)
> resource converter
> (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe,
> C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe)
> IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe,
>              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe)
> assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe)
> Microsoft builds (not just) these programs with Visual C 2005, an
> UNSUPPORTED product that reached its end-of-life on 2016-04-12: see
> <
> 5>
> Of course these programs are linked to the equally UNSUPPORTED Visual C
> 2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft
> but nevertheless still dares to ship as side-by-side component:
> [ ... ]

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists