Microsoft SDKs vulnerable

2014.12.23

Credit: Stefan Kanthak

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Hi @ll,
in their software development kits Microsoft typically ships
Visual C++ (cross) compilers with headers and libraries,
including the MSVCRT for both static and dynamic linking.
The compiler(s) and the libraries are almost never updated (the
only update I know is <https://support.microsoft.com/kb/949408>),
not even when a vulnerability has been detected and patched;
sometimes they are even outdated when the SDK ships.
The result: applications built with the SDKs and linked against
their outdated MSVCRT may be vulnerable!
JFTR: since the standard entry points [w]mainCRTStartup() and
[w]WinMainCRTStartup() for Win32 applications as well as
_DllMainCRTStartup() for Win32 DLLs are all defined in the
MSVCRT all binaries are typically linked against it.-(
Examples:
* the .NET Framework 2.0 SDK
(see <https://www.microsoft.com/download/details.aspx?id=19988>
and <https://www.microsoft.com/download/details.aspx?id=15354>;
the english version was digitally signed on 2005-09-23 and
published a few days later), ships version 14.0.50727.42 and
8.0.50727.42 of Visual C++ 2005 and and its utilities/libraries.
Visual C++ 2005 Express edition was published around the same
date and shipped the same (versions of the) files.
The latter but receives updates per Microsoft Update, most notably
* Service Pack 1
(see <https://www.microsoft.com/download/details.aspx?id=804>),
which ships version 14.0.50727.752 and 8.0.50727.762 of most of
the files;
* MS09-035
(see <https://technet.microsoft.com/library/security/bulletin/MS09-035>
alias <https://support.microsoft.com/kb/969706>,
<https://support.microsoft.com/kb/971090> and
<https://support.microsoft.com/kb/973544>),
which updates the MSVCRT (including header files etc.) to version
8.0.50727.4053;
* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2538218> and
<https://support.microsoft.com/kb/2538242>),
which updates the MSVCRT (including header files etc.) to version
8.0.50727.6195.
* the Platform SDK for Windows Server 2003 SP1 (and R2 too)
(see <https://www.microsoft.com/download/details.aspx?id=15656>
or <https://www.microsoft.com/en-us/download/details.aspx?id=6510>)
ships versions 14.0.40310.41/14.0.30402.0 and
8.0.40310.37/8.0.40310.39/8.0.40310.29 of Visual C++ 2005 (cross)
compilers and their utilities/libraries.
See above for missing updates and security patches!
* the Windows SDK for Windows 7 and .NET Framework 3.5 SP1
(see <https://www.microsoft.com/download/details.aspx?id=3138>
or <https://www.microsoft.com/download/details.aspx?id=18950>;
digitally signed on 2009-07-15 and published about a week later)
ships version 15.0.30729.1 and 9.0.30729.1 of Visual C++ 2008 SP1
(cross) compilers and their utilities/libraries.
Visual C++ 2008 SP1 Express edition
(<http://download.microsoft.com/download/e/8/e/e8eeb394-7f42-4963-a2d8-29559b738298/VS2008ExpressWithSP1ENUX1504728.iso>)
was published around the same date and shipped the same (versions
of the) files.
The latter but receives updates per Microsoft Update, most notably
* MS09-035
(see <https://technet.microsoft.com/library/security/bulletin/MS09-035>,
alias <https://support.microsoft.com/kb/969706>,
<https://support.microsoft.com/kb/971092> and
<https://support.microsoft.com/kb/973552>),
which updates the MSVCRT (including header files etc.) to version
9.0.30729.4148;
* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>,
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2538241> and
<https://support.microsoft.com/kb/2538243>),
which updates the MSVCRT (including header files etc.) to version
9.0.30729.6191.
* the Windows SDK for Windows 7 and .NET Framework 4
(see <https://www.microsoft.com/download/details.aspx?id=8279>
or <https://www.microsoft.com/download/details.aspx?id=8442>)
ships version 16.0.40219.1 and 10.0.40219.1 of Visual C++ 2010
(cross) compilers and their utilities/libraries.
The following updates are not deployed for this SDK:
* Service Pack 1
(see https://www.microsoft.com/download/details.aspx?id=23691
or <https://support.microsoft.com/kb/983509>);
* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>,
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2565057> and
<https://support.microsoft.com/kb/2565063>),
which updates the MSVCRT (including header files etc.) to version
10.0.40219.325.
regards
Stefan Kanthak

References:

https://www.microsoft.com/download/details.aspx?id=23691

http://seclists.org/fulldisclosure/2014/Dec/102

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Microsoft SDKs vulnerable

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.