| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 13 Oct 2021 01:18:46 +0200 From: "Stefan Kanthak" <stefan.kanthak@...go.de> To: <fulldisclosure@...lists.org> Cc: bugtraq@...urityfocus.com Subject: [FD] Defense in depth -- the Microsoft way (part 78): completely outdated, vulnerable open source component(s) shipped with Windows 10&11 Hi @ll, in December 2017, Microsoft announced to ship curl.exe and tar.exe with Windows 10: <https://docs.microsoft.com/en-us/virtualization/community/team-blog/2017/20171219-tar-and-curl-come-to-windows> But they failed once again, MISERABLY, at least for curl: they took the sources released 2017-11-14, let them rot for 2 years, applied some patches, only to let them rot again since then! | C:\Users\Public>winver | Microsoft Windows [Version 10.0.19042.1083] | | C:\Users\Public>curl -V | curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL | Release-Date: 2017-11-14, security patched: 2019-11-05 | Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp | Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL Version 7.55.1 is 34 releases and at least 15 (in words: FIFTEEN) CVEs behind the current version 7.79.1: see <https://curl.se/docs/releases.html> and <https://curl.se/docs/vulnerabilities.html> Most obviously Microsoft's processes are so bad that they can't build a current version and have to ship ROTTEN software instead! stay tuned, and far away from such poorly maintained crap Stefan Kanthak Timeline ~~~~~~~~ 2021-07-21 Vulnerability report sent to vendor 2021-07-22 Vendor acknowledged receipt, opened MSRC case 66388 2021-07-26 Vendor confirmed vulnerability 2021-08-05 Vendor announced fix, scheduled for release on 2021-10-12 2021-10-12 NO FIX RELEASED Instead, the "security" update <https://support.microsoft.com/help/5006672> ships the vulnerable component built 2019-08-12: see <https://download.microsoft.com/download/1/2/8/12827989-db1c-4765-b6a7-ae7ecc7e2ba3/5006672.csv> | curl.exe,7.55.1.0,12-Aug-2019,19:46,"386,048" | curl.exe,7.55.1.0,12-Aug-2019,20:28,"421,376" | curl.exe,7.55.1.0,12-Aug-2019,19:46,"386,048" ... | Windows 10 version 1809 LCU Arm64-based,,,, | File name,File version,Date,Time,File size | curl.exe,7.55.1.0,12-Aug-2019,19:37,"330,240" ... | curl.exe,7.55.1.0,12-Aug-2019,19:46,"386,048" ... | curl.exe,7.55.1.0,12-Aug-2019,20:22,"435,712" _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists