{"id":197682,"date":"2017-11-28T00:55:00","date_gmt":"2017-11-27T23:55:00","guid":{"rendered":"http:\/\/www.borncity.com\/blog\/?p=197682"},"modified":"2021-12-06T00:32:57","modified_gmt":"2021-12-05T23:32:57","slug":"das-problem-mit-c-redists-party-sicherheitspatches-teil-2","status":"publish","type":"post","link":"https:\/\/borncity.com\/blog\/2017\/11\/28\/das-problem-mit-c-redists-party-sicherheitspatches-teil-2\/","title":{"rendered":"Das Problem mit C++ Redists & 3rd Party Sicherheitspatches–Teil 2"},"content":{"rendered":"

In Teil 1 der Artikelreihe hatte ich einen Hinweis von Blog-Leser Karl (al Qamar) auf ein Problem im Zusammenhang mit Sicherheitsupdates f\u00fcr die Visual C++ Laufzeitbibliotheken (Redistributables) ver\u00f6ffentlicht. In Teil 2 geht es um die E-Mail-Korrespondenz zwischen Karl und Microsoft.<\/p>\n

<\/p>\n

Bei Microsoft mal nachgefragt<\/h2>\n

\"\"Wenn man auf ein solches Problem st\u00f6\u00dft, ist es nicht ganz unflott, schlicht bei Microsoft nachzufragen. Speziell Firmenkunden haben da ihre Kan\u00e4le. Karl hat das Microsoft Security Response Center (MSRC) mit dem Thema kontaktiert und folgende Hinweise gegeben.<\/p>\n

Dear Microsoft Security Team,<\/p>\n

in my daily work I find dozens of installations of Windows, no matter which version, whether these are installations of private users or corporate using SCCM or WSUS.<\/p>\n

Many Windows systems are still vulnerable and in my humble opinion <\/span>not perfectly protected\u00a0<\/span>because a design flaw.<\/p><\/blockquote>\n

F\u00fcr nicht englischsprachige Leser\/innen: In seiner t\u00e4glichen Praxis st\u00f6\u00dft Karl auf dutzende Windows-Installationen, Privat-Rechner und Firmensysteme, auch mit SCCM oder WSUS verwaltet. Und dort st\u00f6\u00dft er auf das in Teil 1 erw\u00e4hnte konzeptionelle Problem, dass als C++ Laufzeitbibliotheken auf dem System verbleiben. Er schreibt dazu:<\/p>\n

Mainly C++ Redists. Users will not get the latest C++ Redistributables via Windows Update and on nearly every system old vulnerable C++ Redist dll exist, as main or side-by-side installation.<\/p>\n

There is a tool called Sereby All-in-One that will nearly* cleanly delete all C++ Redists and Side-by-Side installations and force installation of the latest one you provide on your Website only.<\/p>\n

The current situation is that C++ Redists will only be patched in parts, not removing unpatched and vulnerable Side-By-Side installations.<\/p>\n

Refer the attached screenshot how a clean and updated C++ Redist should look like on every Windows Client. I never had any issues to do so on hundreds of systems.<\/p>\n

*because of a file version check in his script it happens that some outdated C++ Redists entries will remain in Programs and Features (now Apps and Features).<\/p><\/blockquote>\n

\"Visual<\/a>
\n(Zum Vergr\u00f6\u00dfern klicken)<\/p>\n

Aber selbst, wenn man die Laufzeitumgebung auf den Maschinen bereinigt, existiert ein Folgeproblem, welches Karl hier adressiert:<\/p>\n

Another problem arises here:<\/b><\/p>\n

Even though if a system is successfully patched with the most C++ Redists and all other vulnerable versions have been purged, e.g. using All in One Runtime there is still a risk.<\/p>\n

Developers tend to include (outdated) C++ Redists and overwrite newer C++ DLLs, some installers like Acrobat DC (classic branch) are so blatantly coded, that they even persist to have old unpatched C++ Redists installed otherwise the MSI installer will fail.<\/p>\n

Also on Steam and other platforms many games will install outdated C++ Redists because only since C++ 2013 there are some countermeasures. But for C++ 2005, 2008, 2010, 2012 there are none.<\/p>\n

Additionally I have seen many applications that provide their own outdated C++ Redists in the installation directory instead of using those installed in Windows.<\/p>\n

This happens across nearly all applications and games around.<\/p><\/blockquote>\n

Kurz: Viele Anwendungen bringen bei der Installation ihre eigenen, oft veralteten Visual C++-Laufzeitumgebungen mit und installieren diese ggf. im Programmordner (statt die bereits in Windows vorhandenen DLLs zu verwenden).\u00a0Karl schl\u00e4gt vor, dass sich Microsoft um das Thema k\u00fcmmert:<\/p>\n

It would be great if you can finally address these security issues and push out all C++ Redists to the systems and set rules to devs not to include and install their own C++ outdated redists, they will never ever care of again.<\/p>\n

Uninstall all C++ redists and install the latest ones (currently not included in Microsoft Update Catalog, but only on MS Website). Currently WU \/ WSUS will not apply all security updates available for MS XML or all C++ Redists. I am sure you will get the point when comparing versions in my screenshot to the updates that will be applied via WU.<\/p>\n

Secondly <\/b>also many developers include DLLs like d3dcompiler_47.dll that have been recently patched. Developers don't care to apply patches on their C++ Redists and Windows should force following:<\/p>\n

These inconsistencies also exist for systems that will not be updated from MS XML 2.0 \/ 3.0 \/ 4.0 to MS XML 4.0 SP3.<\/p>\n

This also affects usage of OpenSSL in the same way, but I see that is out of MS scope.<\/p><\/blockquote>\n

In den letzten Abs\u00e4tzen seiner Mail geht Karl noch auf das Problem des d3dcompiler_47.dll<\/em> ein. Dieser musste in letzter Zeit immer mal wieder aus Sicherheitsgr\u00fcnden gepatcht werden. Die Installation von Dritthersteller Software f\u00fchrt dann dazu, dass wieder ungepatchte Varianten dieser DLLs auf das System kommen.<\/p>\n

Was sagt Microsoft dazu?<\/h2>\n

Microsoft hat in Gestalt des MSRC-Teams auf Karls Anfrage mit folgendem Text geantwortet:<\/p>\n

Thank you for contacting the Microsoft Security Response Center (MSRC). What you're reporting appears to be a security related bug\/product suggestion.
\nTo best resolve this issue please see the following two links:
\n\"Microsoft Product Support Services\"
\n<http:\/\/support.microsoft.com\/common\/international.aspx<\/a>>
\n\"Search Products accepting bugs or suggestions\"
\n<http:\/\/support.microsoft.com\/gp\/contactbug\/<\/a>>
\nThanks,
\nTyler
\nMSRC<\/p><\/blockquote>\n

Kurz und knapp: Das ist nicht unser Problem \u2013 kontaktiere den Produkt-Support oder speise dies als Bug-Report unter den angegebenen Links ein.<\/p>\n

Eintrag im Feedback Hub<\/h2>\n

Karl hat mich im Nachgang auf diesen Eintrag<\/a> im Feedback Hub zu Windows 10 hingewiesen, wo das Thema auch zu finden ist.<\/p>\n

<\/a><\/p>\n

In Teil 3 gibt es einen L\u00f6sungsansatz und eine FAQ, die Karl zusammen gestellt hat.<\/p>\n

Artikelreihe:<\/strong>
\nDas Problem mit C++ Redists & 3rd Party Sicherheitspatches<\/a>\u00a0\u2013 Teil 1
\n<\/a>Das Problem mit C++ Redists & 3rd Party Sicherheitspatches<\/a>\u00a0\u2013 Teil 2
\n<\/a>Das Problem mit C++ Redists & 3rd Party Sicherheitspatches<\/a>\u00a0\u2013 Teil 3<\/a>3<\/p>\n

\u00c4hnliche Artikel:<\/strong>
\nWindows 7\/8.1\/10: Fehler Side-by-Side-Konfiguration ung\u00fcltig<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

In Teil 1 der Artikelreihe hatte ich einen Hinweis von Blog-Leser Karl (al Qamar) auf ein Problem im Zusammenhang mit Sicherheitsupdates f\u00fcr die Visual C++ Laufzeitbibliotheken (Redistributables) ver\u00f6ffentlicht. In Teil 2 geht es um die E-Mail-Korrespondenz zwischen Karl und Microsoft.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[426,185,301],"tags":[4328,4315,6668,3288],"class_list":["post-197682","post","type-post","status-publish","format-standard","hentry","category-sicherheit","category-update","category-windows","tag-sicherheit","tag-update","tag-vc","tag-windows-en"],"_links":{"self":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts\/197682","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/comments?post=197682"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/posts\/197682\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/media?parent=197682"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/categories?post=197682"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/blog\/wp-json\/wp\/v2\/tags?post=197682"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}