lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Oct 2021 01:18:46 +0200
From: "Stefan Kanthak" <>
To: <>
Subject: [FD] Defense in depth -- the Microsoft way (part 78): completely
	vulnerable open source component(s) shipped with Windows 10&11

Hi @ll,

in December 2017, Microsoft announced to ship curl.exe and tar.exe
with Windows 10:

But they failed once again, MISERABLY, at least for curl: they took
the sources released 2017-11-14, let them rot for 2 years, applied
some patches, only to let them rot again since then!

| C:\Users\Public>winver
| Microsoft Windows [Version 10.0.19042.1083]
| C:\Users\Public>curl -V
| curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
| Release-Date: 2017-11-14, security patched: 2019-11-05
| Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
| Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL

Version 7.55.1 is 34 releases and at least 15 (in words: FIFTEEN)
CVEs behind the current version 7.79.1: see 
<> and

Most obviously Microsoft's processes are so bad that they can't
build a current version and have to ship ROTTEN software instead!

stay tuned, and far away from such poorly maintained crap
Stefan Kanthak


2021-07-21 Vulnerability report sent to vendor

2021-07-22 Vendor acknowledged receipt, opened MSRC case 66388

2021-07-26 Vendor confirmed vulnerability

2021-08-05 Vendor announced fix, scheduled for release on 2021-10-12

2021-10-12 NO FIX RELEASED

Instead, the "security" update <>
ships the vulnerable component built 2019-08-12: see

| curl.exe,,12-Aug-2019,19:46,"386,048"
| curl.exe,,12-Aug-2019,20:28,"421,376"
| curl.exe,,12-Aug-2019,19:46,"386,048"
| Windows 10 version 1809 LCU Arm64-based,,,,
| File name,File version,Date,Time,File size
| curl.exe,,12-Aug-2019,19:37,"330,240"
| curl.exe,,12-Aug-2019,19:46,"386,048"
| curl.exe,,12-Aug-2019,20:22,"435,712"

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists