[German]Microsoft delivers the cURL library with the operating system since Windows 10. However, Redmond does not manage to update the delivered cURL version promptly when security vulnerabilities become known. This leads to the fact that Curl versions with known vulnerabilities are shipt with Windows. If someone gets the idea to simply delete the cURL package from Windows (or have it deleted by a virus scanner that finds the version vulnerabe), he breaks the Windows update.
Advertising
What is cURL?
cURL is a program library and command line utility for transferring files on computer networks. The developer is Danien Stenberg, who released the first version in 1998. The current version is 8.0.1, dated March 20, 2023. cURL is licensed under the MIT open license and is in use in various operating systems. Microsoft has shipped cURL with Windows 10 since early 2018 and also in newer Windows versions.
Sluggish cURL update in Windows
Microsoft occasionally sloppily updates the cURL package that comes with Windows. I had pointed out one such case in the blog post Windows January 2022 security updates for cURL vulnerability CVE-2021-22947 – a tough task for security reporters. German security expert Stefan Kanthak had pointed out a vulnerability in cURL to Microsoft in the summer of 2021, which was also confirmed. However, Microsoft needed until January 2022 before an update was provided.
Deleted cURL breaks update
I had the above episode in mind when I came across this German post from site Golem a few weeks ago. Golem had noticed the blog post DELETING SYSTEM32\CURL.EXE by cURL developer Daniel Stenberg on April 24, 2023. Stenberg also points out in his post that Microsoft is responsible for updating cURL in Windows, as they compile the library from the project's source codes on their own. Secondly, Stenberg also cites Microsoft's slow response to vulnerabilities (using CVE-2022-43552 as an example).
This sometimes results in the Windows version of cURL.exe having known vulnerabilities. Antivirus solutions might detect this and sound the alarm. As of December 21, 2022, there was a case of virus scanners finding fault with installations of cURL in Windows 10/11 due to the known vulnerability CVE-2022-43552. Microsoft itself did not update cURL to version 8.0.1 for current Windows 10 versions until April 11, 2023, with KB5025221.
However, users who had curl.exe quarantined or deleted in the meantime because of the reported and existing vulnerability (there was such "helpful" advice in the Microsoft Answers forum) ran into a different problem. Security was then restored, but at the same time they had shot Windows Update to pieces. Because Windows discovered that the update function had been manipulated (by deleting cURL) and stopped the functionality.
Advertising
Stenberg writes that he does not know how this Windows Update could be repaired. I myself would try a check for corrupted system files using sfc /scannow and dism (see also Check and repair Windows system files and component store). If this doesn't help, the only thing left to do is to import a backup.
The episode once again shows how complex Windows has become and that Microsoft's developers seem to have difficulties to update foreign components with known vulnerabilities in a timely manner.
