Microsoft SDKs vulnerable

2014.12.23
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, in their software development kits Microsoft typically ships Visual C++ (cross) compilers with headers and libraries, including the MSVCRT for both static and dynamic linking. The compiler(s) and the libraries are almost never updated (the only update I know is <https://support.microsoft.com/kb/949408>), not even when a vulnerability has been detected and patched; sometimes they are even outdated when the SDK ships. The result: applications built with the SDKs and linked against their outdated MSVCRT may be vulnerable! JFTR: since the standard entry points [w]mainCRTStartup() and [w]WinMainCRTStartup() for Win32 applications as well as _DllMainCRTStartup() for Win32 DLLs are all defined in the MSVCRT all binaries are typically linked against it.-( Examples: * the .NET Framework 2.0 SDK (see <https://www.microsoft.com/download/details.aspx?id=19988> and <https://www.microsoft.com/download/details.aspx?id=15354>; the english version was digitally signed on 2005-09-23 and published a few days later), ships version 14.0.50727.42 and 8.0.50727.42 of Visual C++ 2005 and and its utilities/libraries. Visual C++ 2005 Express edition was published around the same date and shipped the same (versions of the) files. The latter but receives updates per Microsoft Update, most notably * Service Pack 1 (see <https://www.microsoft.com/download/details.aspx?id=804>), which ships version 14.0.50727.752 and 8.0.50727.762 of most of the files; * MS09-035 (see <https://technet.microsoft.com/library/security/bulletin/MS09-035> alias <https://support.microsoft.com/kb/969706>, <https://support.microsoft.com/kb/971090> and <https://support.microsoft.com/kb/973544>), which updates the MSVCRT (including header files etc.) to version 8.0.50727.4053; * MS11-025 (see <https://technet.microsoft.com/library/security/bulletin/MS11-025> alias <https://support.microsoft.com/kb/2500212>, <https://support.microsoft.com/kb/2538218> and <https://support.microsoft.com/kb/2538242>), which updates the MSVCRT (including header files etc.) to version 8.0.50727.6195. * the Platform SDK for Windows Server 2003 SP1 (and R2 too) (see <https://www.microsoft.com/download/details.aspx?id=15656> or <https://www.microsoft.com/en-us/download/details.aspx?id=6510>) ships versions 14.0.40310.41/14.0.30402.0 and 8.0.40310.37/8.0.40310.39/8.0.40310.29 of Visual C++ 2005 (cross) compilers and their utilities/libraries. See above for missing updates and security patches! * the Windows SDK for Windows 7 and .NET Framework 3.5 SP1 (see <https://www.microsoft.com/download/details.aspx?id=3138> or <https://www.microsoft.com/download/details.aspx?id=18950>; digitally signed on 2009-07-15 and published about a week later) ships version 15.0.30729.1 and 9.0.30729.1 of Visual C++ 2008 SP1 (cross) compilers and their utilities/libraries. Visual C++ 2008 SP1 Express edition (<http://download.microsoft.com/download/e/8/e/e8eeb394-7f42-4963-a2d8-29559b738298/VS2008ExpressWithSP1ENUX1504728.iso>) was published around the same date and shipped the same (versions of the) files. The latter but receives updates per Microsoft Update, most notably * MS09-035 (see <https://technet.microsoft.com/library/security/bulletin/MS09-035>, alias <https://support.microsoft.com/kb/969706>, <https://support.microsoft.com/kb/971092> and <https://support.microsoft.com/kb/973552>), which updates the MSVCRT (including header files etc.) to version 9.0.30729.4148; * MS11-025 (see <https://technet.microsoft.com/library/security/bulletin/MS11-025>, alias <https://support.microsoft.com/kb/2500212>, <https://support.microsoft.com/kb/2538241> and <https://support.microsoft.com/kb/2538243>), which updates the MSVCRT (including header files etc.) to version 9.0.30729.6191. * the Windows SDK for Windows 7 and .NET Framework 4 (see <https://www.microsoft.com/download/details.aspx?id=8279> or <https://www.microsoft.com/download/details.aspx?id=8442>) ships version 16.0.40219.1 and 10.0.40219.1 of Visual C++ 2010 (cross) compilers and their utilities/libraries. The following updates are not deployed for this SDK: * Service Pack 1 (see https://www.microsoft.com/download/details.aspx?id=23691 or <https://support.microsoft.com/kb/983509>); * MS11-025 (see <https://technet.microsoft.com/library/security/bulletin/MS11-025>, alias <https://support.microsoft.com/kb/2500212>, <https://support.microsoft.com/kb/2565057> and <https://support.microsoft.com/kb/2565063>), which updates the MSVCRT (including header files etc.) to version 10.0.40219.325. regards Stefan Kanthak

References:

https://www.microsoft.com/download/details.aspx?id=23691
http://seclists.org/fulldisclosure/2014/Dec/102


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top