Re: Security update for Microsoft Visual C++ 2008 (vcredist_x86.exe)

[David Fifield <david () bamsoftware com>]

On Sun, Feb 14, 2010 at 04:01:30PM +0100, Axel.Pettinger wrote:
> After installing Nmap's vcredist_x86.exe (v9.0.30729.17) on Windows 7 
> I noticed that Windows Update wanted to install a security update:
>
> Microsoft Visual C++ 2008 Redistributable Package (KB973924)
> http://go.microsoft.com/fwlink/?LinkID=158264 redirects to
>
> MS09-035: Description of the ATL for Smart Devices security update for 
> Visual Studio 2008: August 11, 2009
> http://support.microsoft.com/kb/973674
>
> The KB article points to:
> Microsoft Security Bulletin MS09-035 - Moderate
> Vulnerabilities in Visual Studio Active Template Library Could Allow 
> Remote Code Execution (969706)
> http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
>
> According to the security bulletin KB973924 belongs to:
> Visual Studio 2008 ATL for Smart Devices Security Update
> http://www.microsoft.com/downloads/details.aspx?familyid=e3bb6602-b7f4-4614-9999-77f5c6f66ccd&displaylang=en
>
> That update is a big one, my computer only downloaded a small file:
> http://download.windowsupdate.com/msdownload/update/software/secu/2009/07/atl90sp1-kb973924-x86_80b879911be205de69d7c59ea97f8169ff7b882e.exe
>
> Maybe the vcredist_x86.exe in the Nmap 5.21 archive should be replaced 
> with the latest version (v9.0.30729.4148) to avoid the notification 
> about the missing security update:
>
> Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL 
> Security Update
> http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en
> ->
> http://download.microsoft.com/download/9/7/7/977B481A-7BA6-4E30-AC40-ED51EB2028F2/vcredist_x86.exe

Thanks for doing all this research and providing the links. The best
summary of the whole situation I could find was from your link to
ms09-035.mspx:

        This security update is specifically intended for developers of
        components and controls. Developers who build and redistribute
        components and controls using ATL should install the update
        provided in this bulletin and follow the guidance provided to
        create, and distribute to their customers, components and
        controls that are not vulnerable to the vulnerabilities
        described in this security bulletin.

I can't pretend to understand all of what this is about, but it seems it
doesn't lead to any security vulnerability in Nmap? The discussion seems
mostly to be about ActiveX controls, and that the presence of the
version of the file we install could open vulnerabilities in other
programs.

Anyway, I've installed the updated file in r16916.

Before this, I still had version 9.0.30729.17 installed. I have
automatic updates turned on, but it must not have offered the newer
version to me. Do you have any idea why you got offered an update but I
didn't? This is on XP SP3.

Do you know if there's an automatic way to find the latest version of
the file? If I go to the download page for the pre-ATL fix version,

http://www.microsoft.com/downloads/details.aspx?familyid=A5C84275-3B97-4AB7-A40D-3802B2AF5FC2&displaylang=en

I don't see any notice that the version for download there has a
vulnerability and that I should instead install the newer version,

http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en

What I'm asking is, is there a way to check if the version we're using
has been replaced, without searching the contents of security
advisories?

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/