Microsoft VC++ 2005 RTM runtime libraries installed with MSE

2013.06.03
Credit: Stefan Kanthak
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

this is part 2 of "Defense in depth -- the Microsoft way", see <http://seclists.org/fulldisclosure/2013/May/107> On Windows NT 5.x the current "Microsoft Security Essentials" v4.2 (available from <http://www.microsoft.com/security_essentials>, and offered as optional update KB2804527 via "Microsoft Update) as well as MANY other Microsoft products [*] install outdated and vulnerable Microsoft Visual C++ Runtime Libraries MSVC?80.DLL v8.0.50727.42 | C:\>filever /S %SystemRoot%\msvc?80.dll | c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvc* | --a-- W32i DLL ENU 8.0.50727.42 shp 479,232 09-22-2005 msvcm80.dll | --a-- W32i DLL ENU 8.0.50727.42 shp 548,864 09-22-2005 msvcp80.dll | --a-- W32i DLL ENU 8.0.50727.42 shp 626,688 09-22-2005 msvcr80.dll These libraries come as part of the bundled component "Microsoft Application Error Reporting"; its installer DW20Shared.msi contains the outdated and vulnerable libraries (which are installed even if a newer version is already present) in form of an MSI merge module which in turn is part of Visual C++/Studio 2005 RTM, whose support ended 2008-01-08, see <http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Visual+Studio+2005&Filter=FilterNO> Current and supported versions of Visual C++/Studio 2005 SP1 come with updated MSI merge modules, see <http://support.microsoft.com/kb/2643995> These libraries (as well as the MSI merge module) have been updated multiple times since: see <http://support.microsoft.com/kb/919588> <http://support.microsoft.com/kb/923610> <http://support.microsoft.com/kb/932391> <http://support.microsoft.com/kb/932392> <http://support.microsoft.com/kb/973544> (alias MS09-035) <http://support.microsoft.com/kb/973882> <http://support.microsoft.com/kb/2467175> (alias MS11-025) <http://support.microsoft.com/kb/2538242> (alias MS11-025) Due to the end-of-life condition of Visual C++/Studio 2005 RTM the security bulletins MS09-035 and MS11-025 dont list these old versions any more. The FAQ section of <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> says: | In the case where a system has no MFC applications currently installed | but does have the vulnerable Visual Studio or Visual C++ runtimes | installed, Microsoft recommends that users install this update as a | defense-in-depth measure, in case of an attack vector being introduced | or becoming known at a later time. Of course the same holds for ATL applications (where MS09-035 recommends | Developers who have built components and controls using ATL should | download this update and recompile their components and controls | following the guidance provided in the following MSDN article. and refers to <http://msdn.microsoft.com/en-us/vstudio/ee309358.aspx>) and CRT applications too. The outdated and vulnerable libraries are NOT detected by the Windows Update Agent and thus not replaced with their current version. The VERY simple fix/mitigation: either uninstall DW20Shared.msi (run MSIEXEC.EXE /X {95120000-00B9-0409-0000-0000000FF1CE}) or install the current MSVC++ 2005 Runtime Redistributable, see <http://support.microsoft.com/kb/2538242> Timeline: 2012-06-18 vendor informed 2012-06-20 vendor acknowledges receipt 2012-06-20 sent additional info (log files) 2012-08-01 vendor replies: not reproducible on Windows 7 2012-08-02 sent additional info: only Windows XP and Server 2003 are affected, can be seen in the log files sent before 2012-10-09 sent additional info: (3rd party) products which dont ship a current MSVC++ 2005 Runtime are affected too 2012-11-29 vendor replies: not able to find vulnerabilities 2012-11-29 asked vendor what MS09-035 and MS11-025 are good for then, and for the purpose of their recommendations and FAQ ... 2013-06-03 report published Stefan Kanthak [*] DW20Shared.msi is bundled with numerous other Microsoft products too, including * Windows Defender * Forefront Security ... * Office 2003 (and every single component of it, Word, Excel, PowerPoint, Outlook, Visio, Access, Publisher, OneNote, Project, ...) * Office 2007 (and every single component of it, Word, Excel, PowerPoint, Outlook, Visio, Access, Publisher, OneNote, Project, ...) * Office 2010 (and every single component of it, Word, Excel, PowerPoint, Outlook, Visio, Access, Publisher, OneNote, Project, ...) * Office Communicator 2005 * Office Groove 2007 * Groove Server 2010 * Sharepoint Services 2.0 * Sharepoint Services 3.0 * SharePoint Designer 2007 * SharePoint Foundation 2010 * SharePoint Server 2010 * SQL Server 2005 Native Client * SQL Server 2008 Native Client * SQL Server 2010 Native Client * SQL Server 2012 Native Client * SQL Server Compact 3.5 * .NET Framework 2.0 * .NET Framework 3.0 * .NET Framework 3.5 ... Other products which dont ship with the MSVC++ 2005 Runtime (like the MDI to TIFF converter, see <http://www.microsoft.com/en-us/download/details.aspx?id=30328>) use the outdated and vulnerable libraries too.

References:

http://www.microsoft.com/en-us/download/details.aspx?id=30328
http://support.microsoft.com/kb/2643995
http://seclists.org/fulldisclosure/2013/May/107


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top