The problem with C++ Redists & 3rd Party security patches – I

[German]Blog reader Karl (al Qamar) informed me a while ago about a problem with securiy updates for the Visual C++ runtime libraries (Redistributables). Here are his findings about the issues.


Some Background

Most programs require runtime libraries to run. In Visual C++, this is the redistributables (runtime libraries) that are installed with the respective application. Karl wrote:

Unfortunately MS has made a mistake to secure its runtime libraries aka C++ Runtimes, which are necessary for almost all programs. I myself only became aware of this issue around 2013.

The problem with VC++ runtime updates

If VC++Runtime libraries are updated by security updates, Windows will usually install them side-by-side. Karl writes:

Due to a conceptual error, the C++ Redists are installed side-by-side in most cases, i. e. old insecure Redist remains on the system (Clients and Servers).

Some words about Side-by-Side and WinSxS

Why runtime libraries have to be installed Side-by-Side is discussed within my blog post Windows 7/8.1/10: error side-by-side configuration is incorrect. In short: Runtime libraries are stored centrally so that applications do not have to install the same DLLs in program folders each time. You can save storage space by sharing the libraries.

The problem: If two applications use different versions of a runtime library, conflicts would arise if the last installed application simply overwrote the existing runtime files. Then a conflict occurs during the installation of the application, which was formerly known as "DLL hell".

To avoid this problem, the Side by side configuration in the folder WinSxS (Windows component store) has been introduced. When an application is installed, the runtime libraries, DLLs, and possibly other resources are stored in a separate subfolder of the WinSxS folder. This prevents multiple files from interfering at the same time. More insides can be found in this blog post linked above.


Another problem: Windows Update and WSUS

Karl also points out some additional issues related to these security updates.

For unknown reasons, Microsoft provides the current versions of[the redistributables] for download (partially), but not all current versions also via WSUS or WU. This applies in particular to C++ 2008-2012.

If the updates are installed via WSUS or WU, this will lead in most cases to the above-mentioned side-by-side installation, since MS will only perform a version check in the MSI Installer with the introduction of C++ 2013.

Furthermore, the updates are considered 3rd party and by default the setting since Windows XP is that only Windows updates are installed, i. e. no other Microsoft updates that include the C++ Redists, Office Updates or SQL / Exchange Server updates. If this option is enabled, Office and driver updates are installed.

In part 2 I document the emails exchanged between Karl and the Microsoft Security Response Center (MSRC). Part 3 contains a FAQ and a solution.

Article series:
The problem with C++ Redists & 3rd Party security patches – I
The problem with C++ Redists & 3rd Party security patches – II
The problem with C++ Redists & 3rd Party security patches – III

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update, Windows and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *