[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Defense in depth -- the Microsoft way (part 4)



Hi,

Microsoft distributes (security critical) updates for Windows components
and Microsoft products installed on user systems via "Windows/Microsoft
Update" and installs them automatically.

Except in some VERY common cases...

For the incorporation of redistributable components like the MSVCRT, MFC,
ATL etc. in MSI installer packages of other (including 3rd party) products
Microsoft provides so-called "MSI merge modules" *.MSM with Visual Studio.

This is primarily a convenience for the packager/developer and the
user/consumer, since both dont have to handle the (typically larger)
standalone "redistributable packages" of the included components from
their "main" installer package.

The files included in these MSI merge modules are installed in the same
locations as their standalone "redistributable packages" do.

But... Windows Update Agent doesnt detect vulnerable/outdated files
installed via MSI merge modules: some of the meta-data which is written
by the standalone "redistributable packages" is not written by the MSI
merge modules and lets Windows Update Agent fail to detect them properly.

The result: all Windows installations where

* Microsoft products like Microsoft Security Essentials, Windows Defender,
  Forefront Security, Microsoft Office <anything>, Microsoft Sharepoint
  <anything>, Microsoft SQL Server <anything>, .NET Framework 2.0/3.0/3.5,
  which come with outdated and vulnerable MSI merge modules, are installed,

* 3rd party products like Adobe Reader/Acrobat and numerous others of
  numerous other developers/companies, which come with outdated and
  vulnerable MSI merge modules, are installed,

* the current version of the standalone "redistributable packages" of the
  resp. MSCVRT, MFC, ATL etc. are NOT installed,

are (potentially) VULNERABLE!


stay tuned
Stefan Kanthak


PS: if you want to check your own Windows installations: get FILEVER.EXE
    from <http://www.microsoft.com/en-us/download/details.aspx?id=15326>
    (the download link in <http://support.microsoft.com/kb/913111> points
    to an older version), start a command prompt and run the following
    commands:

    FILEVER.EXE /S %SystemRoot%\WinSxS\MSVC*.DLL
    FILEVER.EXE /S %SystemRoot%\WinSxS\MFC*.DLL
    FILEVER.EXE /S %SystemRoot%\WinSxS\ATL*.DLL
    FILEVER.EXE /S %SystemRoot%\WinSxS\MSDIA*.DLL
    FILEVER.EXE /S %SystemRoot%\WinSxS\VCOMP*.DLL

    FILEVER.EXE %SystemRoot%\System32\MSVC*.DLL
    FILEVER.EXE %SystemRoot%\System32\MFC*.DLL
    FILEVER.EXE %SystemRoot%\System32\ATL*.DLL
    FILEVER.EXE %SystemRoot%\System32\MSDIA*.DLL
    FILEVER.EXE %SystemRoot%\System32\VCOMP*.DLL

    FILEVER.EXE %SystemRoot%\SysNative\MSVC*.DLL    (x64 only)
    FILEVER.EXE %SystemRoot%\SysNative\MFC*.DLL     ...
    FILEVER.EXE %SystemRoot%\SysNative\ATL*.DLL     ...
    FILEVER.EXE %SystemRoot%\SysNative\MSDIA*.DLL   ...
    FILEVER.EXE %SystemRoot%\SysNative\VCOMP*.DLL   ...

    If the output shows DLLs with version numbers less than listed in
    <http://support.microsoft.com/kb/2565063>
    <http://support.microsoft.com/kb/2467173>
    <http://support.microsoft.com/kb/2538243>
    <http://support.microsoft.com/kb/2538242>
    <http://support.microsoft.com/kb/2465373>
    you should fetch the resp. "redistributable packages" and install
    them (as stated in the FAQ section of
    <http://technet.microsoft.com/security/bulletin/ms11-025>)

    Don't forget to file file bug reports against any product that
    installed the outdated DLLs.


PPS: if you find any of these DLLs in %ProgramFiles%, %ProgramFiles(x86)%
     or other locations: remove them!

     Then ask the developers/vendors who installed them there to take a
     REALLY THOROUGH look at <http://support.microsoft.com/kb/835322>!

     And don't forget to file file bug reports against any product that
     installed OUTDATED DLLs there!