[German]In part 1 of my article series about vulnerabilities in OneDrive client I mentioned, the location of the program files in the unprotected profile folder. But Microsoft developers have made further mistakes, such as using outdated open source libraries with known vulnerabilities.
Using outdated OpenSSL libraries
In his e-mail Stefan Kanthak then drew my attention to a fact that I could hardly believe at first. Stefan wrote (free translated):
It seems that the fresh men from the open source scene didn’t know anything about secure software development for Windows!
The current OneDriveSetup.exe, released on 18.7.2018 at
16:56:01 GMT, available via
<https://g.live.com/1rewlive5skydrive/skydrivesetup> installs the outdated (from 28.8.2017) and insecure version 1.0.2k of the OpenSSL open source crap!
My first reaction was: Impossible, Microsoft won’t do that, there are professionals developing Windows 10 – the most secure Windows at all, according to Microsoft’s marketing. I’ll have to see and proof for myself. So I asked Stefan Kanthak how I could determine if OpenSSL would be installed. Stefan Kanthak then wrote that I should search and inspect the following files.
DIR /A/S “%USERPROFILE%\???eay32.dll”
DIR /A/S “%ProgramFiles%\???eay32.dll”
DIR /A/S “%ProgramFiles(x86)%\???eay32.dll”
DIR /A/S “%ProgramData%\???eay32.dll”
DIR /A/S “%SystemRoot%\???eay32.dll”
The two DLLs are called ssleay32.dll and libeay32.dll – I immediately found files with this name within the profile folder of a Windows 10 V1803 system (with all patched till August 2018).
Stefan Kanthak then wrote: Other such candidates are libcurl.dll, libz*.dll alias zlib*.dll, *7z*.dll and many more. File names like *7z*.dll ring a bell even to me (see my blog post Security-Risk: Avoid 7-Zip). But there is still the OpenSSL issue.
Microsoft’s developers apparently used OpenSSL libraries within the OneDrive client, but on August 18, 2018 (when I wrote the blog post) they are still shipping version 1.0.2k, as shown in the screenshot above – I right-clicked on the file ssleay32.dll and clicked on Properties to invoke the window. Stefan Kanthak had sent me the link to the following website:
This website documents vulnerabilities in the OpenSSL library. If you go through the page, you will find some references to version 1.0.2k. However, I did not notice any text in the page, where a vulnerability for this version was documented. But I noticed that version 1.0.2k was up to date sometime in January 2017. For June 2018 version 1.0.2p is mentioned in the last fixes.
But if you search specifically for the terms ‘OpenSSL 1.0.2k vulnerabilities’, you should find a lot of hits on the CVE Details page. There are several known vulnerabilities in version 1.0.2k, but none is critical (the level only goes up to 5, maximum would be 10). But the bottom line is that Microsoft’s developers are using an outdated Open Source OpenSSL library.
Windows has it’s own CryptoAPI …
Stefan Kanthak notes in an e-mail: Windows brings a CryptoAPI and SChannel since 22+ years and does NOT need such outdates open source libraries:
Microsoft’s mantra “Keep your PC up-to-date!”, which they regularly preach to all their customers, is once again ignored by Microsoft’s developers!
But there is more in stock, as Stefan Kanthak wote. He mentioned, that Microsoft’s developers are either not able or not willing, to write a “shell extension” for the Explorer using the the Win32 API of the Windows GUI. The background for this: Microsoft’s OneDrive client developers uses the Qt5 library instead of the well-documented and updated Windows API. Stefan Kanthak wrote:
Instead, these BEGINNERS uses the the open source monster Qt5 (of course also an OLD version); its Runtime environment Qt5*.dll occupies “only” 20MB on the hard disk. In RAM it’s even more.
The whole thing has two aspects. Kanthak criticizes the use of an outdated version of Qt5, where basically the same explanations apply as above to the outdated OpenSSL library. I assume, that Microsoft is in certain constraints and the outdated open source libraries are not classified as ‘extremely serious security risks’. This can bee seen as critically from the user’s point of view. The second point Kanthak criticizes is the use of Qt5, which is incomprehensible at first glance. But I realized some reasons during writing this blog post. These thoughts, as well as a Microsoft statement on the OneDrive client follows in Part 3.