Windows 10/11: Microsoft still ships old version of cURL lib with vulnerabilities (Feb. 2023)

[German]It's a messy story that I'm posting here on the blog again. Microsoft fails to ship cURL with Windows 10/11 in such a way that the software is up to date and no longer has known vulnerabilities. I had already raised the issue on the blog in January 2022 – but nothing has changed, as I could see by own checks and in a message received from Stefan Kanthak. Here's a brief outline of what it's all about.

What is cURL?

cURL (stands for Client for URLs or Curl URL Request Library) is on the one hand a program library and on the other hand a command line program for transferring files in computer networks. cURL is licensed under the open MIT license and has been ported to various operating systems.

cURL in Windows 10/11 is outdated

Microsoft has been shipping cURL with Windows 10 (and also in Windows 11) since 2017, as you can read in these articles on the cURL website, as well as Microsoft's blog post Tar and Curl Come to Windows, last updated April 26, 2022. I had addressed it in December 2017 in the German blog post Windows 10: tar und curl sollen kommen. The cURL website states:

All installs of Microsoft Windows 10 and Windows 11 get curl installed by default since then. The initial curl version Microsoft shipped was 7.55.1 but it was upgraded to 7.79.1 in January 2022.

The Microsoft provided version is built to use the Schannel TLS backend. […]

The curl tool shipped with Windows is built by and handled by Microsoft. It is a separate build that will have different features and capabilities enabled and disabled compared to the Windows builds offered by the curl project. They do however build curl from the same source code. If you have problems with their curl version, report that to them.

You can probably assume that the curl packages from Microsoft will always lag behind the versions provided by the curl project itself.

cURL for Windows has been updated to version 7.88.1 on February 20, 2023 according to the cURL website. If I query the cURL version on a Windows 10 with current patch level, I get this display:

Windows 10 22H2 with patch level February 2023 reports a cURL 7.83.1 with a release date of May 13, 2022. They are 9 months behind the official release of the cURL project. If I query the Internet for "cURL 7.83.1 vulnerabilities", Google provides me with a link to the official cURL page, where it says:

curl version 7.83.1 was released on May 11 2022. The following 13 security problems are known to exist in this version.

It's kind of silly to see how Microsoft acts. Microsoft's folks blow the fanfares about security features (secure boot, TPM, exploit protection, phishing protection, etc.), but at  the same time they ship outdated libraries with known vulnerabilities on the users' systems. This is exactly the same like with products using the Electron framework like Teams – an ancient version of the Chromium browser with known vulnerabilities was also diligently shipped.

Microsoft knows that

One could still argue that "something was overlooked". But there is a method to it, the developers in Redmond know this and do nothing. In January 2022, after a hint from Stefan Kanthak, I had already addressed this topic in the blog post Windows January 2022 security updates for cURL vulnerability CVE-2021-22947 – a tough task for security reporters. Kanthak had provided me with communications with Microsoft pointing out security vulnerabilities in cURL.

The days Stefan Kanthak sent me another email addressing above sloppiness regarding updating cURL in Windows 10 and Windows 11. Here is the text, without further comment on my part – I haven't translated it, because large parts are in English:

Hello Guenter,

beim CC: habe ich dummerweise (D)eine falsche Mail-Adresse angegeben.

Magst Du ueber deren fortlaufende Schlamperei und Unfaehigkeit, die
eigenen Produktionssysteme mit aktuellen Quelltexten zu bestuecken,
schreiben?

mfg
Stefan


----- Original Message -----
From: "Stefan Kanthak" <****>
To: "Microsoft Security Response Center" <secure@microsoft.com>; <certbund@bsi.bund.de>; <cert@cert.org>
Cc: <gborn@***>; <daniel@****>
Sent: Monday, February 06, 2023 7:56 PM
Subject: TEN unfixed CVEs in the OUTDATED version of curl.exe that Microsoft dares to ship with Windows!

> Hi @ll,
>
> Microsoft again/still ships a ROTTEN and VULNERABLE version of curl.exe
> which is 4 releases behind and has TEN unfixed CVEs with Windows 10 and 11!
>
> Why do you ignore your own mantra "Keep your systems up-to-date and patched"?
>
> @MSRC: last time it took more than FIVE months, from 2021-07-21 until
>       January 2022, to ship a version then "just" 2 releases behind.
>       See MSRC Case 66388 CRM:0461283373
>
> @CERT Bund: wie waer's mit einer oeffentlichen Warnung vor diesem
>            schlampig, fahr- und nachlaessig zusammengefrickelten Kram?
>
> @Daniel: please change your license to forbid the distribution of vulnerable
>         binaries built from outdated sources!
>
> C:\Users\Stefan>ver
>
> Microsoft Windows [Version 10.0.19044.2486]
>
> C:\Users\Stefan>curl --version
> curl 7.83.1 (Windows) libcurl/7.83.1 Schannel
> Release-Date: 2022-05-13
> Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
> Features: AsynchDNS HSTS IPv6 Kerberos Largefile NTLM SPNEGO SSL SSPI UnixSockets
>
> From <https://curl.se/docs/security.html>
>
> #    S  Vulnerability                                             Date        First   Last
> 132  ?  CVE-2022-43552: HTTP Proxy deny use-after-free            2022-12-21  7.16.0  7.86.0
> 131  ?  CVE-2022-43551: Another HSTS bypass via IDN               2022-12-21  7.77.0  7.86.0
> 130  ?  CVE-2022-42916: HSTS bypass via IDN                       2022-10-26  7.77.0  7.85.0
> 129  ?  CVE-2022-42915: HTTP proxy double-free                    2022-10-26  7.77.0  7.85.0
> 128  ?  CVE-2022-35260: .netrc parser out-of-bounds access        2022-10-26  7.84.0  7.85.0
> 127  ?  CVE-2022-32221: POST following PUT confusion              2022-10-26  7.7     7.85.0
> 126  ?  CVE-2022-35252: control code in cookie denial of service  2022-08-31  4.9     7.84.0
> 125  ?  CVE-2022-32208: FTP-KRB bad message verification          2022-06-27  7.16.4  7.83.1
> 124  ?  CVE-2022-32207: Unpreserved file permissions              2022-06-27  7.69.0  7.83.1
> 123  ?  CVE-2022-32206: HTTP compression denial of service        2022-06-27  7.57.0  7.83.1
> 122  ?  CVE-2022-32205: Set-Cookie denial of service              2022-06-27  7.71.0  7.83.1
>
> NOT AMUSED
> Stefan Kanthak
>
> ----- Original Message -----
> From: "Stefan Kanthak" <stefan.kanthak@***>
> To: "Microsoft Security Response Center" <secure@microsoft.com>
> Cc: <daniel@***>; <cert@cert.org>
> Sent: Wednesday, July 21, 2021 8:35 PM
> Subject: OUTDATED curl.exe 7.55.1
>
>> Hi secure,
>>
>> Windows 10 20H1, 20H2 and 21H1 ship with an outdated and vulnerable
>> curl.exe 7.55.1, 32 releases and at least 15 (in words: FIFTEEN) CVEs
>> behind the current version 7.78.0: see
>> <https://curl.se/docs/releases.html> and
>> <https://curl.se/docs/vulnerabilities.html>
>>
>> | C:\Users\Public>winver
>> | Microsoft Windows [Version 10.0.19042.1083]
>> |
>> | C:\Users\Public>curl -V
>> | curl 7.55.1 (Windows) libcurl/7.55.1 WinSSL
>> | Release-Date: 2017-11-14, security patched: 2019-11-05
>> | Protocols: dict file ftp ftps http https imap imaps pop3 pop3s smtp smtps telnet tftp
>> | Features: AsynchDNS IPv6 Largefile SSPI Kerberos SPNEGO NTLM SSL
>>
>> Are your processes so bad that you can't build a current version and
>> have to ship ROTTEN software instead?
>>
>> NOT amused
>> Stefan Kanthak

Similar articles:
Windows January 2022 security updates for cURL vulnerability CVE-2021-22947 – a tough task for security reporters
Microsoft Teams and it's security