Re: Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

"Dennis E. Hamilton" <dennis.hamilton () acm org> wrote:

> One correction: jsc.exe is a JavaScript command line processor.  J# is not
> and must not be shipped in Windows.
>
> The opinion about the .NET Framework notwithstanding, the presumption that
> these utilities are defective because they were built with older versions of
> Visual C (and its libraries, presumably) does not imply existence of
> defects.

These utilities are just the anchor; the very point is that Microsoft ships
SUPERCEEDED and VULNERABLE versions of the Visual C++ 2005 runtime with
(certain versions) of Windows and other products, against their own
recommendation:

| In the case where a system has no MFC applications currently installed
| but does have the vulnerable Visual Studio or Visual C++ runtimes
| installed, Microsoft recommends that users install this update as a
| defense-in-depth measure, in case of an attack vector being introduced
| or becoming known at a later time.

> I see third-party software that also employ older redistributables,
> some back to 2005.

"Same old sin"!
This does neither justify Microsoft's nor the 3rd parties BAD behaviour,
which puts users/customers at risk!
And the arguement is NOT about "older" components, but either end-of-life
or superceeded components: the former may have unknown or unpublished
vulnerabilities, while the latter have known and published vulnerabilities.

JFTR: the MSVCRT shipped with Windows 7 is in the latter category!

Not only Microsoft repeats the mantra "keep your software up-to-date" over
and over again, but doesn't live it!

> It is an interesting questions why it is expedient to install these
> everywhere, whatever their vintage, just like cmd.exe.  It would be valuable
> to know what the dependencies on these are and for whom is it convenient
> that they are always there.

That's just the icing on the cake.

stay tuned
Stefan

> -----Original Message-----
> From: Fulldisclosure <fulldisclosure-bounces () seclists org> On Behalf Of
> Stefan Kanthak
> Sent: Monday, February 24, 2020 09:06
> To: fulldisclosure () seclists org
> Cc: bugtraq () securityfocus com
> Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows
> shipped with end-of-life components
>
> Hi @ll,
>
> since Microsoft Server 2003 R2, Microsoft dares to ship and install the
> abomination known as .NET Framework with every new version of Windows.
>
> Among other components current versions of Windows and .NET Framework
> include
>
> C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe,
>             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe)
> J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe,
>             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe)
> VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe,
>             C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe)
> resource converter
> (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe,
>
> C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe)
> IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe,
>              C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe)
> assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe)
>
> Microsoft builds (not just) these programs with Visual C 2005, an
> UNSUPPORTED product that reached its end-of-life on 2016-04-12: see
> <https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%20200
> 5>
>
> Of course these programs are linked to the equally UNSUPPORTED Visual C
> 2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft
> but nevertheless still dares to ship as side-by-side component:
>
> [ ... ]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/