Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components

From: Stefan Kanthak <stefan.kanthak@nexgo.de>
To: fulldisclosure@seclists.org
Cc: bugtraq@securityfocus.com
Subject: Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components
Date:


Hi @ll,

since Microsoft Server 2003 R2, Microsoft dares to ship and install the
abomination known as .NET Framework with every new version of Windows.

Among other components current versions of Windows and .NET Framework
include

C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe)
J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe)
VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,
             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe)
resource converter (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe,
                    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe)
IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe,
              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe)
assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe)

Microsoft builds (not just) these programs with Visual C 2005, an
UNSUPPORTED product that reached its end-of-life on 2016-04-12: see
<https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%202005>

Of course these programs are linked to the equally UNSUPPORTED Visual C
2005 runtime that also reached its end-of-life 2016-04-12, which
Microsoft but nevertheless still dares to ship as side-by-side component:

Windows 10 1909

C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9659_none_88dfc6bf2faefcc6\MSVCR80.dll
C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9659_none_88dfc6bf2faefcc6\MSVCR80.dll

Windows 7 SP1, with Microsoft Security Essentials installed

C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcm80.dll
C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcp80.dll
C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcm80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcp80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcr80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcm80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcp80.dll
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll


The latest security update for the Visual C++ runtime was published
2011-06-04 and updated the version to 8.0.50727.6195: see
<https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi>

The FAQ section of
<http://technet.microsoft.com/en-us/security/bulletin/ms11-025> says:

| In the case where a system has no MFC applications currently installed
| but does have the vulnerable Visual Studio or Visual C++ runtimes
| installed, Microsoft recommends that users install this update as a
| defense-in-depth measure, in case of an attack vector being introduced
| or becoming known at a later time.

Microsoft ships VULNERABLE components with .NET Framework and Windows, then
recommends that their unsuspecting users update them, but fails to update
their crap themselses!
In other words: "quod licet jovi non licet bovi"!

JFTR: another highlight (really: a BLATANT lie) from
      <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> is:

| Recommendation. The majority of customers have automatic updating enabled
| and will not need to take any action because this security update will be
| downloaded and installed automatically.

NO, Windows Update does NOT update the OUTDATED and VULNERABLE Visual C++
runtime shipped with .NET Framework in Windows 7!

The previous security update was published 2009-07-28 and updated
the version to 8.0.50727.4053: see
<https://support.microsoft.com/en-us/help/973544> plus
<https://support.microsoft.com/en-gb/help/969706/ms09-035-vulnerabilities-in-visual-studio-active-template-libraries-co>

Of course the statement from the FAQ section of MS11-025 holds for ATL
applications (where MS09-035 should have an equivalent FAQ entry) and
CRT applications too!

Additionally see the MSKB article
<https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads>
which does NOT even list the MSVCRT 2005 any more!


stay tuned, and FAR AWAY from untrustworthy and insecure software like .NET Framework and Windows 7
Stefan Kanthak

PS: <https://msdn.microsoft.com/en-us/vstudio/bb188593.aspx> shows
    2017-10-10 as EOL for the separate J# redistributable package.





Copyright © 1995-2020 LinuxRocket.net. All rights reserved.