Full Disclosure mailing list archives
Re: Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Fri, 28 Feb 2020 18:25:48 +0100
"Dennis E. Hamilton" <dennis.hamilton () acm org> wrote:
One correction: jsc.exe is a JavaScript command line processor. J# is not and must not be shipped in Windows. The opinion about the .NET Framework notwithstanding, the presumption that these utilities are defective because they were built with older versions of Visual C (and its libraries, presumably) does not imply existence of defects.
These utilities are just the anchor; the very point is that Microsoft ships SUPERCEEDED and VULNERABLE versions of the Visual C++ 2005 runtime with (certain versions) of Windows and other products, against their own recommendation: | In the case where a system has no MFC applications currently installed | but does have the vulnerable Visual Studio or Visual C++ runtimes | installed, Microsoft recommends that users install this update as a | defense-in-depth measure, in case of an attack vector being introduced | or becoming known at a later time.
I see third-party software that also employ older redistributables, some back to 2005.
"Same old sin"! This does neither justify Microsoft's nor the 3rd parties BAD behaviour, which puts users/customers at risk! And the arguement is NOT about "older" components, but either end-of-life or superceeded components: the former may have unknown or unpublished vulnerabilities, while the latter have known and published vulnerabilities. JFTR: the MSVCRT shipped with Windows 7 is in the latter category! Not only Microsoft repeats the mantra "keep your software up-to-date" over and over again, but doesn't live it!
It is an interesting questions why it is expedient to install these everywhere, whatever their vintage, just like cmd.exe. It would be valuable to know what the dependencies on these are and for whom is it convenient that they are always there.
That's just the icing on the cake. stay tuned Stefan
-----Original Message----- From: Fulldisclosure <fulldisclosure-bounces () seclists org> On Behalf Of Stefan Kanthak Sent: Monday, February 24, 2020 09:06 To: fulldisclosure () seclists org Cc: bugtraq () securityfocus com Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components Hi @ll, since Microsoft Server 2003 R2, Microsoft dares to ship and install the abomination known as .NET Framework with every new version of Windows. Among other components current versions of Windows and .NET Framework include C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe) J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe) VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe) resource converter (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe) IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe) assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe) Microsoft builds (not just) these programs with Visual C 2005, an UNSUPPORTED product that reached its end-of-life on 2016-04-12: see <https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%20200 5> Of course these programs are linked to the equally UNSUPPORTED Visual C 2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft but nevertheless still dares to ship as side-by-side component: [ ... ]
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components Dennis E. Hamilton (Mar 03)
- Re: Defense in depth -- the Microsoft way (part 62): Windows shipped with end-of-life components Stefan Kanthak (Mar 03)