Bugtraq
mailing list archives
Hi @ll, since Microsoft Server 2003 R2, Microsoft dares to ship and install the abomination known as .NET Framework with every new version of Windows. Among other components current versions of Windows and .NET Framework include C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe) J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe) VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe) resource converter (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe) IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe, C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe) assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe) Microsoft builds (not just) these programs with Visual C 2005, an UNSUPPORTED product that reached its end-of-life on 2016-04-12: see <https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%202005> Of course these programs are linked to the equally UNSUPPORTED Visual C 2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft but nevertheless still dares to ship as side-by-side component: Windows 10 1909 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9659_none_88dfc6bf2faefcc6\MSVCR80.dll C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9659_none_88dfc6bf2faefcc6\MSVCR80.dll Windows 7 SP1, with Microsoft Security Essentials installed C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcm80.dll C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcp80.dll C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_88df89932faf0bf6\msvcr80.dll C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcm80.dll C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcp80.dll C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad\msvcr80.dll C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcm80.dll C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcp80.dll C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll The latest security update for the Visual C++ runtime was published 2011-06-04 and updated the version to 8.0.50727.6195: see <https://support.microsoft.com/en-us/help/2538242/ms11-025-description-of-the-security-update-for-visual-c-2005-sp1-redi> The FAQ section of <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> says: | In the case where a system has no MFC applications currently installed | but does have the vulnerable Visual Studio or Visual C++ runtimes | installed, Microsoft recommends that users install this update as a | defense-in-depth measure, in case of an attack vector being introduced | or becoming known at a later time. Microsoft ships VULNERABLE components with .NET Framework and Windows, then recommends that their unsuspecting users update them, but fails to update their crap themselses! In other words: "quod licet jovi non licet bovi"! JFTR: another highlight (really: a BLATANT lie) from <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> is: | Recommendation. The majority of customers have automatic updating enabled | and will not need to take any action because this security update will be | downloaded and installed automatically. NO, Windows Update does NOT update the OUTDATED and VULNERABLE Visual C++ runtime shipped with .NET Framework in Windows 7! The previous security update was published 2009-07-28 and updated the version to 8.0.50727.4053: see <https://support.microsoft.com/en-us/help/973544> plus <https://support.microsoft.com/en-gb/help/969706/ms09-035-vulnerabilities-in-visual-studio-active-template-libraries-co> Of course the statement from the FAQ section of MS11-025 holds for ATL applications (where MS09-035 should have an equivalent FAQ entry) and CRT applications too! Additionally see the MSKB article <https://support.microsoft.com/en-us/help/2977003/the-latest-supported-visual-c-downloads> which does NOT even list the MSVCRT 2005 any more! stay tuned, and FAR AWAY from untrustworthy and insecure software like .NET Framework and Windows 7 Stefan Kanthak PS: <https://msdn.microsoft.com/en-us/vstudio/bb188593.aspx> shows 2017-10-10 as EOL for the separate J# redistributable package.