Re: Security update for Microsoft Visual C++ 2008 (vcredist_x86.exe)

[Michael Pattrick <mpattrick () rhinovirus org>]

On Tue, Mar 2, 2010 at 8:07 PM, David Fifield <david () bamsoftware com> wrote:
> I can't pretend to understand all of what this is about, but it seems it
> doesn't lead to any security vulnerability in Nmap? The discussion seems
> mostly to be about ActiveX controls, and that the presence of the
> version of the file we install could open vulnerabilities in other
> programs.

Hey David,

A good metric for determining if your software is vulnerable can be
found at [0]. Succinctly, because Nmap doesn't use Microsofts
proprietary COM interface, we have nothing to worry about.

If memory serves, patch action was really only required for Microsoft
Visual Studio developers, not runtime distributions; because affected
programs needed to be recompiled with the new headers, whereas
Microsoft is nice enough to automatically push down this update
automatically via windows update to end users.

Cheers,
Michael

[0] http://msdn.microsoft.com/en-us/visualc/ee309358.aspx
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/