Full Disclosure mailing list archives
Defense in depth -- the Microsoft way (part 86): shipping rotten software to billions of unsuspecting customers
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Thu, 12 Oct 2023 00:58:16 +0200
Hi @ll, the 7 cURL versions after 8.0.1, released March 20, 2023, <https://curl.se/docs/releases.html>, fix the following 3 vulnerabilities <https://curl.se/docs/vulnerabilities.html>: CVE-2023-38039 <https://curl.se/docs/CVE-2023-38039.html> CVE-2023-38545 <https://curl.se/docs/CVE-2023-38545.html> CVE-2023-38546 <https://curl.se/docs/CVE-2023-38546.html> Once again (really: for several months), in their VERY finite wisdom (really: almost INFINITE sloppy- and lazyness), Microsoft but dares to ship rotten and vulnerable software (i.e. cURL.exe 8.0.1) to billions of unsuspecting customers, i.e. they fail MISERABLY in following their own mantra "Keep your (build) systems patched". The MSKB article <https://support.microsoft.com/en-us/kb/5031354> titled "October 10, 2023-KB5031354 (OS Build 22621.2428)" provides the following "file information" for Windows 11 22H2 <https://download.microsoft.com/download/5/4/4/544a5341-96a2-491f-9563-bf260206564f/5031354.csv>: | "curl.exe","8.0.1.0","01-Oct-2023","02:06","559,616" ... | "curl.exe","8.0.1.0","01-Oct-2023","02:06","445,952" ... | "curl.exe","8.0.1.0","01-Oct-2023","02:06","498,688" ... | "curl.exe","8.0.1.0","01-Oct-2023","02:24","566,272" ... | "curl.exe","8.0.1.0","01-Oct-2023","02:24","498,688" The MSKB article <https://support.microsoft.com/en-us/kb/5031356> titled "October 10, 2023-KB5031356 (OS Builds 19044.3570 and 19045.3570)" provides the following "file information" for Windows 10 22H2 <https://download.microsoft.com/download/e/9/9/e994fe4f-a5fe-49ae-ac4d-ce139efd147d/5031356.csv>: | "curl.exe","8.0.1.0","30-Sep-2023","21:45","559,616" ... | "curl.exe","8.0.1.0","30-Sep-2023","21:45","445,952" ... | "curl.exe","8.0.1.0","30-Sep-2023","21:45","498,688" ... | "curl.exe","8.0.1.0","30-Sep-2023","23:39","566,272" ... | "curl.exe","8.0.1.0","30-Sep-2023","23:39","498,688" ... | "curl.exe","8.0.1.0","30-Sep-2023","21:21","498,688" The MSKB article <https://support.microsoft.com/en-us/kb/5031358> titled "October 10, 2023-KB5031358 (OS Build 22000.2538)" provides the following "file information" for Windows 11 21H2 <https://download.microsoft.com/download/0/1/7/01776958-e4d8-4015-82c9-72539ce3cbcc/5031358.csv>: | "curl.exe","8.0.1.0","30-Sep-2023","20:15","559,616" ... | "curl.exe","8.0.1.0","30-Sep-2023","20:15","445,952" ... | "curl.exe","8.0.1.0","30-Sep-2023","20:15","498,688" ... | "curl.exe","8.0.1.0","30-Sep-2023","22:23","566,272" ... | "curl.exe","8.0.1.0","30-Sep-2023","22:23","498,688" The MSKB article <https://support.microsoft.com/en-us/kb/5031361> titled "October 10, 2023-KB5031361 (OS Build 17763.4974)" provides the following "file information" for Windows 10 1809, Windows Server 1809, and Windows Server 2019 <https://download.microsoft.com/download/2/8/9/289b2614-512f-4284-a36d-b1e7fee365bd/5031361.csv>: | "curl.exe","8.0.1.0","29-Mar-2023","21:55","559,616" ... | "curl.exe","8.0.1.0","29-Mar-2023","22:28","445,952" ... | "curl.exe","8.0.1.0","29-Mar-2023","22:13","498,688" ... | "curl.exe","8.0.1.0","29-Mar-2023","22:36","566,272" ... | "curl.exe","8.0.1.0","29-Mar-2023","22:13","498,688" ... | "curl.exe","8.0.1.0","30-Mar-2023","05:13","498,688" stay tuned, and far away from rotten software oozing out of Redmond Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Defense in depth -- the Microsoft way (part 86): shipping rotten software to billions of unsuspecting customers Stefan Kanthak (Oct 16)