{"id":4547,"date":"2017-12-20T00:38:00","date_gmt":"2017-12-19T23:38:00","guid":{"rendered":"http:\/\/borncity.com\/win\/?p=4547"},"modified":"2021-12-08T14:32:02","modified_gmt":"2021-12-08T13:32:02","slug":"the-problem-with-c-redists-3rd-party-security-patches-ii","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2017\/12\/20\/the-problem-with-c-redists-3rd-party-security-patches-ii\/","title":{"rendered":"The problem with C++ Redists & 3rd Party security patches – II"},"content":{"rendered":"

[German<\/a>]In part 1 of the article series I had published a note from blog reader Karl (al Qamar) about a problem related to security updates for the Visual C++ runtime libraries (redistributables). Part 2 deals with the e-mail correspondence between Karl and Microsoft.<\/p>\n

<\/p>\n

Asking Microsoft<\/h2>\n

\"\"Karl decided to contact the folks at Microsoft Security Response Center (MSRC) and discuss his findings.<\/p>\n

Dear Microsoft Security Team,<\/p>\n

in my daily work I find dozens of installations of Windows, no matter which version, whether these are installations of private users or corporate using SCCM or WSUS.<\/p>\n

Many Windows systems are still vulnerable and in my humble opinion not perfectly protected because a design flaw.<\/p><\/blockquote>\n

Mainly C++ Redists. Users will not get the latest C++ Redistributables via Windows Update and on nearly every system old vulnerable C++ Redist dll exist, as main or side-by-side installation.<\/p><\/blockquote>\n

There is a tool called Sereby All-in-One that will nearly* cleanly delete all C++ Redists and Side-by-Side installations and force installation of the latest one you provide on your Website only.<\/p>\n

The current situation is that C++ Redists will only be patched in parts, not removing unpatched and vulnerable Side-By-Side installations.<\/p>\n

Refer the attached screenshot how a clean and updated C++ Redist should look like on every Windows Client. I never had any issues to do so on hundreds of systems.<\/p>\n

*because of a file version check in his script it happens that some outdated C++ Redists entries will remain in Programs and Features (now Apps and Features).<\/p><\/blockquote>\n

\"Visual<\/a>
\n(Click to zoom)<\/p>\n

But even if you clean up the runtime environment on the machines, there is a follow-up problem, which Karl addresses here:<\/p>\n

Another problem arises here:<\/b><\/p>\n

Even though if a system is successfully patched with the most C++ Redists and all other vulnerable versions have been purged, e.g. using All in One Runtime there is still a risk.<\/p>\n

Developers tend to include (outdated) C++ Redists and overwrite newer C++ DLLs, some installers like Acrobat DC (classic branch) are so blatantly coded, that they even persist to have old unpatched C++ Redists installed otherwise the MSI installer will fail.<\/p>\n

Also on Steam and other platforms many games will install outdated C++ Redists because only since C++ 2013 there are some countermeasures. But for C++ 2005, 2008, 2010, 2012 there are none.<\/p>\n

Additionally I have seen many applications that provide their own outdated C++ Redists in the installation directory instead of using those installed in Windows.<\/p>\n

This happens across nearly all applications and games around.<\/p><\/blockquote>\n

In short: Many applications bring their own, often obsolete Visual C++ runtime environments with them and install them in the program folder (instead of using the DLLs already present in Windows). Karl suggests that Microsoft take care of the issue:<\/p>\n

It would be great if you can finally address these security issues and push out all C++ Redists to the systems and set rules to devs not to include and install their own C++ outdated redists, they will never ever care of again.<\/p>\n

Uninstall all C++ redists and install the latest ones (currently not included in Microsoft Update Catalog, but only on MS Website). Currently WU \/ WSUS will not apply all security updates available for MS XML or all C++ Redists. I am sure you will get the point when comparing versions in my screenshot to the updates that will be applied via WU.<\/p>\n

Secondly <\/b>also many developers include DLLs like d3dcompiler_47.dll that have been recently patched. Developers don't care to apply patches on their C++ Redists and Windows should force following:<\/p>\n

These inconsistencies also exist for systems that will not be updated from MS XML 2.0 \/ 3.0 \/ 4.0 to MS XML 4.0 SP3.<\/p>\n

This also affects usage of OpenSSL in the same way, but I see that is out of MS scope.<\/p><\/blockquote>\n

In the last few paragraphs of his mail Karl deals with the problem of the d3dcompiler_47.dll<\/em>. This has had to be patched lately for security reasons. The installation of third-party software then causes unpatched variants of these DLLs to come back on the system.<\/p>\n

What does Microsoft say about this?<\/h2>\n

Microsoft has responded via the MSRC team to Karl's request with the following text:<\/p>\n

Thank you for contacting the Microsoft Security Response Center (MSRC). What you're reporting appears to be a security related bug\/product suggestion.
\nTo best resolve this issue please see the following two links:
\n\"Microsoft Product Support Services\"
\n<http:\/\/support.microsoft.com\/common\/international.aspx<\/a>>
\n\"Search Products accepting bugs or suggestions\"
\n<http:\/\/support.microsoft.com\/gp\/contactbug\/<\/a>>
\nThanks,
\nTyler
\nMSRC<\/p><\/blockquote>\n

In short: This is not our problem – contact product support or submit it as a bug report under the given links.<\/p>\n

Entry in the Feedback Hub<\/h2>\n

Karl told me afterwards about this entry<\/a> in the Feedback Hub for Windows 10, where the topic can also be found.<\/p>\n

<\/a><\/p>\n

In part 3 there is a solution approach and a FAQ that Karl put together.<\/p>\n

Article series:<\/strong>
\nThe problem with C++ Redists & 3rd Party security patches<\/a>\u00a0\u2013 I
\nThe problem with C++ Redists & 3rd Party security patches<\/a>\u00a0\u2013 II
\nThe problem with C++ Redists & 3rd Party security patches<\/a>\u00a0\u2013 III<\/p>\n","protected":false},"excerpt":{"rendered":"

[German]In part 1 of the article series I had published a note from blog reader Karl (al Qamar) about a problem related to security updates for the Visual C++ runtime libraries (redistributables). Part 2 deals with the e-mail correspondence between … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,22,2],"tags":[1204,1203,195,194],"class_list":["post-4547","post","type-post","status-publish","format-standard","hentry","category-security","category-update","category-windows","tag-c","tag-restrists","tag-update","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4547","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=4547"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/4547\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=4547"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=4547"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=4547"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}