Nmap Development mailing list archives
Re: Security update for Microsoft Visual C++ 2008 (vcredist_x86.exe)
From: David Fifield <david () bamsoftware com>
Date: Tue, 2 Mar 2010 18:07:40 -0700
On Sun, Feb 14, 2010 at 04:01:30PM +0100, Axel.Pettinger wrote:
After installing Nmap's vcredist_x86.exe (v9.0.30729.17) on Windows 7 I noticed that Windows Update wanted to install a security update: Microsoft Visual C++ 2008 Redistributable Package (KB973924) http://go.microsoft.com/fwlink/?LinkID=158264 redirects to MS09-035: Description of the ATL for Smart Devices security update for Visual Studio 2008: August 11, 2009 http://support.microsoft.com/kb/973674 The KB article points to: Microsoft Security Bulletin MS09-035 - Moderate Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706) http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx According to the security bulletin KB973924 belongs to: Visual Studio 2008 ATL for Smart Devices Security Update http://www.microsoft.com/downloads/details.aspx?familyid=e3bb6602-b7f4-4614-9999-77f5c6f66ccd&displaylang=en That update is a big one, my computer only downloaded a small file: http://download.windowsupdate.com/msdownload/update/software/secu/2009/07/atl90sp1-kb973924-x86_80b879911be205de69d7c59ea97f8169ff7b882e.exe Maybe the vcredist_x86.exe in the Nmap 5.21 archive should be replaced with the latest version (v9.0.30729.4148) to avoid the notification about the missing security update: Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en -> http://download.microsoft.com/download/9/7/7/977B481A-7BA6-4E30-AC40-ED51EB2028F2/vcredist_x86.exe
Thanks for doing all this research and providing the links. The best summary of the whole situation I could find was from your link to ms09-035.mspx: This security update is specifically intended for developers of components and controls. Developers who build and redistribute components and controls using ATL should install the update provided in this bulletin and follow the guidance provided to create, and distribute to their customers, components and controls that are not vulnerable to the vulnerabilities described in this security bulletin. I can't pretend to understand all of what this is about, but it seems it doesn't lead to any security vulnerability in Nmap? The discussion seems mostly to be about ActiveX controls, and that the presence of the version of the file we install could open vulnerabilities in other programs. Anyway, I've installed the updated file in r16916. Before this, I still had version 9.0.30729.17 installed. I have automatic updates turned on, but it must not have offered the newer version to me. Do you have any idea why you got offered an update but I didn't? This is on XP SP3. Do you know if there's an automatic way to find the latest version of the file? If I go to the download page for the pre-ATL fix version, http://www.microsoft.com/downloads/details.aspx?familyid=A5C84275-3B97-4AB7-A40D-3802B2AF5FC2&displaylang=en I don't see any notice that the version for download there has a vulnerability and that I should instead install the newer version, http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en What I'm asking is, is there a way to check if the version we're using has been replaced, without searching the contents of security advisories? David Fifield _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Security update for Microsoft Visual C++ 2008 (vcredist_x86.exe) Axel.Pettinger (Feb 14)
- Re: Security update for Microsoft Visual C++ 2008 (vcredist_x86.exe) David Fifield (Mar 02)
- Re: Security update for Microsoft Visual C++ 2008 (vcredist_x86.exe) Michael Pattrick (Mar 02)
- Re: Security update for Microsoft Visual C++ 2008 (vcredist_x86.exe) David Fifield (Mar 02)