Microsoft SDKs vulnerable

Published
Credit
Risk
2014.12.23
Stefan Kanthak
Medium
CWE
CVE
Local
Remote
N/A
N/A
Yes
No

Hi @ll,

in their software development kits Microsoft typically ships
Visual C++ (cross) compilers with headers and libraries,
including the MSVCRT for both static and dynamic linking.

The compiler(s) and the libraries are almost never updated (the
only update I know is <https://support.microsoft.com/kb/949408>),
not even when a vulnerability has been detected and patched;
sometimes they are even outdated when the SDK ships.

The result: applications built with the SDKs and linked against
their outdated MSVCRT may be vulnerable!

JFTR: since the standard entry points [w]mainCRTStartup() and
[w]WinMainCRTStartup() for Win32 applications as well as
_DllMainCRTStartup() for Win32 DLLs are all defined in the
MSVCRT all binaries are typically linked against it.-(

Examples:

* the .NET Framework 2.0 SDK
(see <https://www.microsoft.com/download/details.aspx?id=19988>
and <https://www.microsoft.com/download/details.aspx?id=15354>;
the english version was digitally signed on 2005-09-23 and
published a few days later), ships version 14.0.50727.42 and
8.0.50727.42 of Visual C++ 2005 and and its utilities/libraries.

Visual C++ 2005 Express edition was published around the same
date and shipped the same (versions of the) files.

The latter but receives updates per Microsoft Update, most notably

* Service Pack 1
(see <https://www.microsoft.com/download/details.aspx?id=804>),
which ships version 14.0.50727.752 and 8.0.50727.762 of most of
the files;

* MS09-035
(see <https://technet.microsoft.com/library/security/bulletin/MS09-035>
alias <https://support.microsoft.com/kb/969706>,
<https://support.microsoft.com/kb/971090> and
<https://support.microsoft.com/kb/973544>),
which updates the MSVCRT (including header files etc.) to version
8.0.50727.4053;

* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2538218> and
<https://support.microsoft.com/kb/2538242>),
which updates the MSVCRT (including header files etc.) to version
8.0.50727.6195.


* the Platform SDK for Windows Server 2003 SP1 (and R2 too)
(see <https://www.microsoft.com/download/details.aspx?id=15656>
or <https://www.microsoft.com/en-us/download/details.aspx?id=6510>)
ships versions 14.0.40310.41/14.0.30402.0 and
8.0.40310.37/8.0.40310.39/8.0.40310.29 of Visual C++ 2005 (cross)
compilers and their utilities/libraries.

See above for missing updates and security patches!


* the Windows SDK for Windows 7 and .NET Framework 3.5 SP1
(see <https://www.microsoft.com/download/details.aspx?id=3138>
or <https://www.microsoft.com/download/details.aspx?id=18950>;
digitally signed on 2009-07-15 and published about a week later)
ships version 15.0.30729.1 and 9.0.30729.1 of Visual C++ 2008 SP1
(cross) compilers and their utilities/libraries.

Visual C++ 2008 SP1 Express edition

(<http://download.microsoft.com/download/e/8/e/e8eeb394-7f42-4963-a2d8-29559b738298/VS2008ExpressWithSP1ENUX1504728.iso>)
was published around the same date and shipped the same (versions
of the) files.

The latter but receives updates per Microsoft Update, most notably

* MS09-035
(see <https://technet.microsoft.com/library/security/bulletin/MS09-035>,
alias <https://support.microsoft.com/kb/969706>,
<https://support.microsoft.com/kb/971092> and
<https://support.microsoft.com/kb/973552>),
which updates the MSVCRT (including header files etc.) to version
9.0.30729.4148;

* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>,
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2538241> and
<https://support.microsoft.com/kb/2538243>),
which updates the MSVCRT (including header files etc.) to version
9.0.30729.6191.


* the Windows SDK for Windows 7 and .NET Framework 4
(see <https://www.microsoft.com/download/details.aspx?id=8279>
or <https://www.microsoft.com/download/details.aspx?id=8442>)
ships version 16.0.40219.1 and 10.0.40219.1 of Visual C++ 2010
(cross) compilers and their utilities/libraries.

The following updates are not deployed for this SDK:

* Service Pack 1
(see https://www.microsoft.com/download/details.aspx?id=23691
or <https://support.microsoft.com/kb/983509>);

* MS11-025
(see <https://technet.microsoft.com/library/security/bulletin/MS11-025>,
alias <https://support.microsoft.com/kb/2500212>,
<https://support.microsoft.com/kb/2565057> and
<https://support.microsoft.com/kb/2565063>),
which updates the MSVCRT (including header files etc.) to version
10.0.40219.325.


regards
Stefan Kanthak

References:

https://www.microsoft.com/download/details.aspx?id=23691
http://seclists.org/fulldisclosure/2014/Dec/102


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com