Hi @ll, for years not only Microsoft tells computer users throughout the world "keep your PC updated" again and again. How well does Microsoft support this mantra with their very own products? How well does Microsoft follow this mantra in their own premises? Short answer: rather poor! Longer answer: (far too) many Microsoft products, their service packs and (security) updates/hotfixes as well include outdated, unsupported (ie. after their end-of-life) and even vulnerable (parts of) components that have been superseded long ago. Cause: Microsofts developers use so called "MSI merge modules" (*.MSM) (cf. <http://msdn.microsoft.com/en-us/library/aa369820.aspx>) to include (parts of) other (shared) components in their products. JFTR: "MSI merge modules" combine the disadvantages of static linking and DLLs! Although these "MSI merge modules" are regularly updated with service packs and (security) updates/hotfixes for Visual Studio or their resp. components, Microsoft ships (far too) many products with vulnerable libraries which stem from outdated "MSI merge modules"! Conclusion: either Microsoft doesn't update their build and production systems, or their developers and productions teams deliberately use outdated "MSI merge modules" (and most probably use and link other outdated libraries too) to build Microsoft products. Result: Microsoft ships products with vulnerable code and puts its customers at risk! Example 1: The "Microsoft Visual C++ [2005, 2008, 2010, 2012] Runtime" libraries (MSVC?<##>.DLL, with <##> in [80, 90, 100, 110]) alias MSVCRT and its satellites (MFC<##>*.DLL, MFC?<##>*.DLL, ATL<##>.DLL) are included in many products[1] and get installed even if a newer version of these libraries is already installed on a customers system. Cf. <http://support.microsoft.com/kb/154753> and <http://support.microsoft.com/kb/326922> for an overview, as well as <http://support.microsoft.com/kb/2538242/en-us>, <http://support.microsoft.com/kb/2538243/en-us>, <http://support.microsoft.com/kb/2467173/en-us> and <http://support.microsoft.com/kb/2565063/en-us> for detailed partlists. The FAQ section of <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> says: | In the case where a system has no MFC applications currently installed | but does have the vulnerable Visual Studio or Visual C++ runtimes | installed, Microsoft recommends that users install this update as a | defense-in-depth measure, in case of an attack vector being introduced | or becoming known at a later time. Of course the same holds for ATL applications (where MS09-035 should have an equivalent FAQ entry) and CRT applications too. Step 1: Take a look at the just released "Microsoft SQL Server 2008 Service Pack 2" <http://blogs.msdn.com/b/sqlreleaseservices/archive/2012/07/26/sql-server-2008-r2-sp2-is-now-available.aspx> and it's downloads, <http://www.microsoft.com/en-us/download/details.aspx?id=30437> <http://www.microsoft.com/en-us/download/details.aspx?id=30438> <http://www.microsoft.com/en-us/download/details.aspx?id=30440> From the last link, pick the SQL native client installation package sqlncli_{amd64,ia64,x86}.msi, download and install it. Step 2: Find the directory "C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4027_x-ww_e69378d0\" with vulnerable DLLs MSVC?80.DLL v8.0.50727.4027 (this version of MSVC++ 2005 is pre-SP1, ie. end-of-life/out-of-service) on your system. OUCH! Apparently Microsoft's own recommendation is completely unknown to their own developers, their QA, their production team, their release managers, ... JTFR: Other parts of SQL Server 2008 SP2 contain these vulnerable DLLs too. Step 3: Start the "software" applet from "control panel" and try to find the just installed (parts of) "Microsoft Visual C++ 2005 Runtime". It's missing! How should a user follow Microsoft's recommendation if s/he doesnt even know that there is (or are parts of) a vulnerable component installed? Step 4: Start "Windows Update" or "Microsoft Update" and perform a "custom" search for updates. Result: no update(s) for Microsoft Visual C++ 2005 runtime libraries. Again: a complete waste of time, WU/MU doesnt offer the necessary update MS11-025, since Windows Update Agent doesnt detect the improperly installed MSVCRT! Example 2: "Microsoft Application Error Reporting Tool" alias "Dr. Watson 2.0" (cf. <http://support.microsoft.com/kb/841477>) is part of many products[2], included/bundled either as installable package DW20Shared.msi or incorporated directly via its files DWDCW20.DLL, DW20.EXE, DWTRIG20.EXE, DW20.ADM (in many languages), DWINTL20.DLL (localized too) and MSVC?80.DLL (goto example 1). Step 1: Fetch "Microsoft Security Essentials" from <http://windows.microsoft.com/en-US/windows/products/security-essentials>, and install it, or start "Microsoft Update", perform a custom search and install the optional update KB2691894 <http://support.microsoft.com/kb/2691894/en-us> (cf. <http://support.microsoft.com/kb/2267621/en-us>). Step 2: Find the directory "C:\WINDOWS\winsxs\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\" with vulnerable DLLs MSVC?80.DLL v8.0.50727.42 (this version is MSVC++ 2005 RTM, ie. end-of-life/out-of-service) on your system. Step 3: Open "control panel", start the "software" applet and try to find the just installed component "Microsoft Application Error Reporting" and (parts of) the component "Microsoft Visual C++ Runtime". They are missing! How should a user follow Microsoft's recommendation if s/he doesnt even know that there are (parts of) vulnerable components installed? Step 4: Start "Windows Update" or "Microsoft Update" and perform a "custom" search for updates. Result: no update(s) for Microsoft Visual C++ 2005 runtime libraries or error reporting tool. Again: a complete waste of time, WU/MU doesnt offer the necessary update MS11-025, since Windows Update Agent doesnt detect the improperly installed MSVCRT! Stefan Kanthak [1] Application Error Reporting alias Windows Error Reporting SQL Server 2005 and several subcomponents SQL Server 2008 and several subcomponents SQL Server 2012 and several subcomponents ... [2] Windows Defender Security Essentials Forefront Security ... {Exchange Office Outlook OneNote Word Excel PowerPoint Publisher Project Access Visio ...} 2003 {Exchange Office Outlook OneNote Word Excel PowerPoint Publisher Project Access Visio ...} 2007 Office Communicator 2005 Office Groove 2007 Groove Server 2010 Sharepoint Services 2.0 Sharepoint Services 3.0 SharePoint Designer 2007 SharePoint Foundation 2010 SharePoint Server 2010 .NET Framework 2.0 .NET Framework 3.0 .NET Framework 3.5 ...
