Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:29427
HistoryJun 03, 2013 - 12:00 a.m.

Vulnerable Microsoft VC++ 2005 RTM runtime libraries installed with "Microsoft Security Essentials" (and numerous other Microsoft products)

2013-06-0300:00:00
vulners.com
27
JSON

Hi @ll,

this is part 2 of "Defense in depth – the Microsoft way", see
<http://seclists.org/fulldisclosure/2013/May/107&gt;

On Windows NT 5.x the current "Microsoft Security Essentials" v4.2
(available from <http://www.microsoft.com/security_essentials&gt;,
and offered as optional update KB2804527 via "Microsoft Update)
as well as MANY other Microsoft products [*] install outdated and
vulnerable Microsoft Visual C++ Runtime Libraries MSVC?80.DLL
v8.0.50727.42

| C:\>filever /S %SystemRoot%\msvc?80.dll
| c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvc*
| --a-- W32i DLL ENU 8.0.50727.42 shp 479,232 09-22-2005 msvcm80.dll
| --a-- W32i DLL ENU 8.0.50727.42 shp 548,864 09-22-2005 msvcp80.dll
| --a-- W32i DLL ENU 8.0.50727.42 shp 626,688 09-22-2005 msvcr80.dll

These libraries come as part of the bundled component "Microsoft
Application Error Reporting"; its installer DW20Shared.msi contains
the outdated and vulnerable libraries (which are installed even if
a newer version is already present) in form of an MSI merge module
which in turn is part of Visual C++/Studio 2005 RTM, whose support
ended 2008-01-08, see
<http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&amp;alpha=Visual+Studio+2005&amp;Filter=FilterNO&gt;

Current and supported versions of Visual C++/Studio 2005 SP1 come
with updated MSI merge modules, see
<http://support.microsoft.com/kb/2643995&gt;

These libraries (as well as the MSI merge module) have been updated
multiple times since: see
<http://support.microsoft.com/kb/919588&gt;
<http://support.microsoft.com/kb/923610&gt;
<http://support.microsoft.com/kb/932391&gt;
<http://support.microsoft.com/kb/932392&gt;
<http://support.microsoft.com/kb/973544&gt; (alias MS09-035)
<http://support.microsoft.com/kb/973882&gt;
<http://support.microsoft.com/kb/2467175&gt; (alias MS11-025)
<http://support.microsoft.com/kb/2538242&gt; (alias MS11-025)

Due to the end-of-life condition of Visual C++/Studio 2005 RTM the
security bulletins MS09-035 and MS11-025 dont list these old versions
any more.

The FAQ section of
<http://technet.microsoft.com/en-us/security/bulletin/ms11-025&gt; says:

| In the case where a system has no MFC applications currently installed
| but does have the vulnerable Visual Studio or Visual C++ runtimes
| installed, Microsoft recommends that users install this update as a
| defense-in-depth measure, in case of an attack vector being introduced
| or becoming known at a later time.

Of course the same holds for ATL applications (where MS09-035 recommends

| Developers who have built components and controls using ATL should
| download this update and recompile their components and controls
| following the guidance provided in the following MSDN article.

and refers to <http://msdn.microsoft.com/en-us/vstudio/ee309358.aspx&gt;&#41;
and CRT applications too.

The outdated and vulnerable libraries are NOT detected by the Windows
Update Agent and thus not replaced with their current version.

The VERY simple fix/mitigation: either uninstall DW20Shared.msi (run
MSIEXEC.EXE /X {95120000-00B9-0409-0000-0000000FF1CE})
or install the current MSVC++ 2005 Runtime Redistributable, see
<http://support.microsoft.com/kb/2538242&gt;

Timeline:

2012-06-18 vendor informed

2012-06-20 vendor acknowledges receipt

2012-06-20 sent additional info (log files)

2012-08-01 vendor replies: not reproducible on Windows 7

2012-08-02 sent additional info: only Windows XP and Server 2003
are affected, can be seen in the log files sent before

2012-10-09 sent additional info: (3rd party) products which dont
ship a current MSVC++ 2005 Runtime are affected too

2012-11-29 vendor replies: not able to find vulnerabilities

2012-11-29 asked vendor what MS09-035 and MS11-025 are good for
then, and for the purpose of their recommendations and
FAQ

2013-06-03 report published

Stefan Kanthak

[*] DW20Shared.msi is bundled with numerous other Microsoft products too,
including

* Windows Defender
* Forefront Security ...
* Office 2003 &#40;and every single component of it, Word, Excel, PowerPoint,
  Outlook, Visio, Access, Publisher, OneNote, Project, ...&#41;
* Office 2007 &#40;and every single component of it, Word, Excel, PowerPoint,
  Outlook, Visio, Access, Publisher, OneNote, Project, ...&#41;
* Office 2010 &#40;and every single component of it, Word, Excel, PowerPoint,
  Outlook, Visio, Access, Publisher, OneNote, Project, ...&#41;
* Office Communicator 2005
* Office Groove 2007
* Groove Server 2010
* Sharepoint Services 2.0
* Sharepoint Services 3.0
* SharePoint Designer 2007
* SharePoint Foundation 2010
* SharePoint Server 2010
* SQL Server 2005 Native Client
* SQL Server 2008 Native Client
* SQL Server 2010 Native Client
* SQL Server 2012 Native Client
* SQL Server Compact 3.5
* .NET Framework 2.0
* .NET Framework 3.0
* .NET Framework 3.5
...

Other products which dont ship with the MSVC++ 2005 Runtime
&#40;like the MDI to TIFF converter, see
&lt;http://www.microsoft.com/en-us/download/details.aspx?id=30328&gt;&#41;
use the outdated and vulnerable libraries too.
JSON