[German]Here is another hint to vulnerabilities buried in software packages from Microsoft. The Visual C++ runtime packages (VC redistributable) provided by Microsoft are assembled to installer packages with outdated (vulnerable) WiX Toolkit versions.
What are the Visual C++ Runtime?
A Visual C++ runtime environment, the VC runtime, is required for Visual C++ programs. Microsoft offers various versions of its Visual C++ Runtime environment as redistributable packages for Windows. A list of VC redistributable versions for Windows can be found at this Microsoft page. So far so good – maybe apart from the fact that users often have trouble with these packages, there is more in stock.
Old stuff: Vulnerability in Visual C++ Runtime?
Unfortunately, the Visual C++ runtime packages seem to be a security night mare. Today I was reminded via Twitter on my old article series I published in December 2017.
The problem with C++ Redists & 3rd Party security patches – I to III
— Crysta T. Lacey (@PhantomofMobile) 22. August 2018
After a hint from German blog reader Karl, I pointed out potential vulnerabilities caused by security updates within a series of articles.
But there is another details, that I had in stock since a while. Security expert Stefan Kanthak drew my attention to a security issue and forwarded his mail exchange with Microsoft. But I have not had the time to write an article. The tweet mentioned above reminded me, to write this article now.
Security risk: WiX Toolset used for VC installer
Microsoft is using the WiX Toolset to build the installer packages for its Visual C++ redistributables (and their updates). The vendors web site says:
WiX Toolset build tools includes everything you need to create installations on your development and build machines.
As shown in the above screenshot, the WIX Toolset v3.11.1 is current version. Visiting this site, I noticed that the website is still offered via http – but fortunately the toolset itself is provided via GitHub. Rob Mensching, I mean he's an ex-Microsoft employee and developer of the WIX Toolset (see Wikipedia), offers the opportunity to obtain the Toolset Visual Studio 2017 Extension.
Microsoft is using vulnerable WIX Toolset versions
You can download the relevant packages from the Microsoft download pages for the VC redistributables. These packages were updated about 6 weeks ago. Stefan Kanthak has been focusing on these packages for a long time, because the installer files are created by Microsoft using the WIX toolset. That wouldn't be so bad at first. But there ar e'curiosities' that I put together briefly. Stefan Kanthak wrote:
The installation packages of the VC redistributables from summer 2018 were created with the WIX toolset version 3.7.3813.0 (and older). Version 3.10.2 of the WIX-Toolset was released in January 2016. FireGiant has an article: 'WiX v3.10.2 is an important security release of WiX. We encourage all users of WiX to upgrade to WiX v3.10.2.' Microsoft doesn't seem to care.
Stefan Kanthak has downloaed the VC redistributable from Microsoft and let a few tools analyze it. Here are the results of this inspection.
| C:\Users\Stefan\Downloads>CURL.exe -q -I -L https://aka.ms/vs/15/release/vc_redist.x86.exe
| Last-Modified: Tue, 22 May 2018 17:35:06 GMT
The installer is quite new, published about 10 weeks ago.
| C:\Users\Stefan\Downloads>SIGNTOOL.exe Verify /V vc_redist.x86.exe
| The signature is timestamped: Tue May 15 08:08:31 2018
The installer was built or digitally signed about 11 weeks ago,
just one week prior to its release.
| C:\Users\Stefan\Downloads>FILEVER.exe /V vc_redist.x86.exe
| --a-- W32i APP ENU 14.14.26429.4 shp 14,611,496 05-22-2018 vc_redist.x86.exe
| Language 0x0409 (Englisch (USA))
| CharSet 0x04e4 Windows, Multilingual
| OleSelfRegister Disabled
| CompanyName Microsoft Corporation
| FileDescription Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429
| InternalName setup
| OriginalFilenam VC_redist.x86.exe
| ProductName Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429
| ProductVersion 14.14.26429.4
| FileVersion 14.14.26429
| LegalCopyright Copyright (c) Microsoft Corporation. All rights reserved.
| C:\Users\Stefan\Downloads>LINK.exe /DUMP /HEADERS /DEPENDENTS vc_redist.x86.exe
| FILE HEADER VALUES
| 14C machine (x86)
| 7 number of sections
| 54DE53A8 time date stamp Fri Feb 13 20:42:32 2015
It's already critical. The VC redistributable has a file date of May 15, 2018, but was linked (build) on February 13, 2015. The installation file with the runtime library was created with the Wix Toolset version 3.7, as can be seen in the following excerpts:
Take 4, continued:
| OPTIONAL HEADER VALUES
| 10B magic # (PE32)
| 10.00 linker version
| 5.01 operating system version
| 0.00 image version
| 5.01 subsystem version
| Image has the following dependencies:
| Time Type Size RVA Pointer
| -------- ------ -------- -------- --------
| 54DE53A8 cv 46 00052F60 51760 ... E:\delivery\Dev\wix37\build\ship\x86\burn.pdb
So Microsoft's developers are using an old WiX Toolkit, known as vulnerable. I'm not fit in versioning – but Stefan Kanthak told me, the installer was created with Visual Studio 2010 for use under Windows XP and newer Windows NT versions. In February 2015, however, Windows XP had long since fallen out of support (support ended in April 2014).
The excerpt above also shows that the installer depends on a bunch of DLLs. These DLLs are not considered as 'known DLLs' by Windows. This means: During installation, malware could replace these files in the directory with the installation files and latch into the installation. I had mentioned the possible problems within my blog post PSA: Classic Shell is now Open Shell Menu – and a warning.
The list of potential problems and vulnerabilities Stefan Kanthak sent me continues in this vein – I spare them. To sum it up: Microsoft is using outdated and vulnerable tools to create a runtime redistributable, that has been installed on Million Windows systems. Kanthak informed Microsoft about this – without anything happening. The colleagues at The Register have just taken that up. What's going on at Microsoft right now?
PSA: Classic Shell is now Open Shell Menu – and a warning
Security flaws in MDOP/MBAM July 2018 Update KB4340040
Windows 10 and the OneDrive vulnerabilities – Part 1
Windows 10 and the OneDrive vulnerabilities – Part 2
Windows 10 and the OneDrive vulnerabilities – Part 3
Security-Risk: Avoid 7-Zip
7-Zip vulnerable – update to version 18.01
Cookies helps to fund this blog: Cookie settings