{"id":6701,"date":"2018-08-22T16:35:11","date_gmt":"2018-08-22T14:35:11","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=6701"},"modified":"2018-08-22T16:35:11","modified_gmt":"2018-08-22T14:35:11","slug":"vulnerabilities-in-microsoft-visual-c-runtime","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/08\/22\/vulnerabilities-in-microsoft-visual-c-runtime\/","title":{"rendered":"Vulnerabilities in Microsoft Visual C++ Runtime"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2018\/08\/22\/sicherheit-microsoft-visual-c-runtime-kommt-mit-alten-wix-installern\/\" target=\"_blank\">German<\/a>]Here is another hint to vulnerabilities buried in software packages from Microsoft. The Visual C++ runtime packages (VC redistributable) provided by Microsoft are assembled to installer packages with outdated (vulnerable) WiX Toolkit versions. <\/p>\n<p><!--more--><\/p>\n<h2>What are the Visual C++ Runtime?<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/adc83aa448ca43fb9d92daf3f8657e25\" width=\"1\" height=\"1\">A Visual C++ runtime environment, the VC runtime, is required for Visual C++ programs. Microsoft offers various versions of its Visual C++ Runtime environment as redistributable packages for Windows. A list of VC redistributable versions for Windows can be found at <a href=\"https:\/\/support.microsoft.com\/de-de\/help\/2977003\/the-latest-supported-visual-c-downloads\" target=\"_blank\">this Microsoft page<\/a>. So far so good &#8211; maybe apart from the fact that users often have trouble with these packages, there is more in stock. <\/p>\n<h2>Old stuff: Vulnerability in Visual C++ Runtime?<\/h2>\n<p>Unfortunately, the Visual C++ runtime packages seem to be a security night mare. Today I was reminded via <a href=\"https:\/\/twitter.com\/PhantomofMobile\/status\/1032058681708306432\" target=\"_blank\">Twitter<\/a> on my old article series I published in December 2017. <\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p lang=\"en\" dir=\"ltr\">The problem with C++ Redists &amp; 3rd Party security patches \u2013 I to III<\/p>\n<p>Posted on 2017-12-19 by <a href=\"https:\/\/twitter.com\/etguenni?ref_src=twsrc%5Etfw\">@etguenni<\/a><a href=\"https:\/\/t.co\/yAvtB8Ionl\">https:\/\/t.co\/yAvtB8Ionl<\/a><a href=\"https:\/\/t.co\/DDQvWwKeW2\">https:\/\/t.co\/DDQvWwKeW2<\/a><a href=\"https:\/\/t.co\/4tT7fFXoiu\">https:\/\/t.co\/4tT7fFXoiu<\/a><\/p>\n<p>\u2014 Crysta T. Lacey (@PhantomofMobile) <a href=\"https:\/\/twitter.com\/PhantomofMobile\/status\/1032058681708306432?ref_src=twsrc%5Etfw\">22. August 2018<\/a><\/p><\/blockquote>\n<p><span id=\"preserve499189a25042400ba6aeb3b13cebf023\" class=\"wlWriterPreserve\"><SCRIPT charset=\"utf-8\" src=\"https:\/\/platform.twitter.com\/widgets.js\" async><\/SCRIPT><\/span> <\/p>\n<p>After a hint from German blog reader Karl, I pointed out potential vulnerabilities caused by security updates within a series of articles. <\/p>\n<p>But there is another details, that I had in stock since a while. Security expert Stefan Kanthak drew my attention to a security issue and forwarded his mail exchange with Microsoft. But I have not had the time to write an article. The tweet mentioned above reminded me, to write this article now. <\/p>\n<h2>Security risk: WiX Toolset used for VC installer<\/h2>\n<p>Microsoft is using the WiX Toolset to build the installer packages for its Visual C++ redistributables (and their updates). The <a href=\"http:\/\/wixtoolset.org\/releases\/\" target=\"_blank\">vendors web site says<\/a>:<\/p>\n<blockquote>\n<p><strong>WiX Toolset build tools<\/strong> includes everything you need to create installations on your development and build machines.<\/p>\n<\/blockquote>\n<p><img decoding=\"async\" title=\"Wix-Toolset \" alt=\"Wix-Toolset \" src=\"https:\/\/i.imgur.com\/hlTg2FD.jpg\"><\/p>\n<p>As shown in the above screenshot, the WIX Toolset v3.11.1 is current version. Visiting this site, I noticed that the website is still offered via http \u2013 but fortunately the toolset itself is provided via <a href=\"https:\/\/github.com\/wixtoolset\/wix3\/releases\/tag\/wix3111rtm\" target=\"_blank\">GitHub<\/a>. Rob Mensching, I mean he's an ex-Microsoft employee and developer of the WIX Toolset (see <a href=\"https:\/\/en.wikipedia.org\/wiki\/WiX\" target=\"_blank\">Wikipedia<\/a>), offers the opportunity to obtain the <a href=\"https:\/\/marketplace.visualstudio.com\/items?itemName=RobMensching.WixToolsetVisualStudio2017Extension\" target=\"_blank\">Toolset Visual Studio 2017 Extension<\/a>. <\/p>\n<h3>Microsoft is using vulnerable WIX Toolset versions<\/h3>\n<p>You can download the relevant packages from the <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/2977003\/the-latest-supported-visual-c-downloads\" target=\"_blank\">Microsoft download pages for the VC redistributables<\/a>. These packages were updated about 6 weeks ago. Stefan Kanthak has been focusing on these packages for a long time, because the installer files are created by Microsoft using the WIX toolset. That wouldn't be so bad at first. But there ar e'curiosities' that I put together briefly. Stefan Kanthak wrote:<\/p>\n<blockquote>\n<p>The installation packages of the VC redistributables from summer 2018 were created with the WIX toolset version 3.7.3813.0 (and older). Version 3.10.2 of the WIX-Toolset was released in January 2016. FireGiant has an article: '<a href=\"https:\/\/www.firegiant.com\/blog\/2016\/1\/20\/wix-v3.10.2-released\/\" target=\"_blank\">WiX v3.10.2 is an important security release of WiX<\/a>. We encourage all users of WiX to upgrade to WiX v3.10.2.' Microsoft doesn't seem to care. <\/p>\n<\/blockquote>\n<p>Stefan Kanthak has downloaed the <a href=\"https:\/\/aka.ms\/vs\/15\/release\/vc_redist.x86.exe\" target=\"_blank\">VC redistributable<\/a> from Microsoft and let a few tools analyze it. Here are the results of this inspection. <\/p>\n<pre>Take 1:<br>~~~~~~~\n<p>| C:\\Users\\Stefan\\Downloads&gt;CURL.exe -q -I -L <a href=\"https:\/\/aka.ms\/vs\/15\/release\/vc_redist.x86.exe\" target=\"_blank\">https:\/\/aka.ms\/vs\/15\/release\/vc_redist.x86.exe<\/a><br>...<br>| Last-Modified: Tue, 22 May 2018 17:35:06 GMT<\/p>\n<p>The installer is quite new, published about 10 weeks ago.<\/p>\n<p><br>Take 2:<br>~~~~~~~<\/p>\n<p>| C:\\Users\\Stefan\\Downloads&gt;SIGNTOOL.exe Verify \/V vc_redist.x86.exe<br>...<br>| The signature is timestamped: Tue May 15 08:08:31 2018<\/p>\n<p>The installer was built or digitally signed about 11 weeks ago,<br>just one week prior to its release.<\/p>\n<p><br>Take 3:<br>~~~~~~~<\/p>\n<p>| C:\\Users\\Stefan\\Downloads&gt;FILEVER.exe \/V vc_redist.x86.exe<br>| --a-- W32i&nbsp;&nbsp; APP ENU&nbsp;&nbsp; 14.14.26429.4 shp 14,611,496 05-22-2018 vc_redist.x86.exe<br>|<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Language&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x0409 (Englisch (USA))<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CharSet&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0x04e4 Windows, Multilingual<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OleSelfRegister Disabled<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CompanyName&nbsp;&nbsp;&nbsp;&nbsp; Microsoft Corporation<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FileDescription Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; InternalName&nbsp;&nbsp;&nbsp; setup<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; OriginalFilenam VC_redist.x86.exe<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ProductName&nbsp;&nbsp;&nbsp;&nbsp; Microsoft Visual C++ 2017 Redistributable (x86) - 14.14.26429<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ProductVersion&nbsp; 14.14.26429.4<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FileVersion&nbsp;&nbsp;&nbsp;&nbsp; 14.14.26429<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LegalCopyright&nbsp; Copyright (c) Microsoft Corporation. All rights reserved.<\/p>\n<p><br>Take 4:<br>~~~~~~~<\/p>\n<p>| C:\\Users\\Stefan\\Downloads&gt;LINK.exe \/DUMP \/HEADERS \/DEPENDENTS vc_redist.x86.exe<br>...<br>| FILE HEADER VALUES<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 14C machine (x86)<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7 number of sections<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 54DE53A8 time date stamp Fri Feb 13 20:42:32 2015<\/p><\/pre>\n<p>It's already critical. The VC redistributable has a file date of May 15, 2018, but was linked (build) on February 13, 2015. The installation file with the runtime library was created with the Wix Toolset version 3.7, as can be seen in the following excerpts:<\/p>\n<pre>Take 4, continued:<br>~~~~~~~~~~~~~~~~~~\n<p>| OPTIONAL HEADER VALUES<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10B magic # (PE32)<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 10.00 linker version<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ~~~~~<br>...<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5.01 operating system version<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0.00 image version<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5.01 subsystem version<\/p>\n<p>|&nbsp; Image has the following dependencies:<br>|<br>|&nbsp;&nbsp;&nbsp; gdiplus.dll<br>|&nbsp;&nbsp;&nbsp; ADVAPI32.dll<br>|&nbsp;&nbsp;&nbsp; USER32.dll<br>|&nbsp;&nbsp;&nbsp; OLEAUT32.dll<br>|&nbsp;&nbsp;&nbsp; GDI32.dll<br>|&nbsp;&nbsp;&nbsp; SHELL32.dll<br>|&nbsp;&nbsp;&nbsp; ole32.dll<br>|&nbsp;&nbsp;&nbsp; KERNEL32.dll<br>|&nbsp;&nbsp;&nbsp; Cabinet.dll<br>|&nbsp;&nbsp;&nbsp; CRYPT32.dll<br>|&nbsp;&nbsp;&nbsp; msi.dll<br>|&nbsp;&nbsp;&nbsp; RPCRT4.dll<br>|&nbsp;&nbsp;&nbsp; WININET.dll<br>|&nbsp;&nbsp;&nbsp; WINTRUST.dll<br>|&nbsp;&nbsp;&nbsp; VERSION.dll<\/p>\n<p>Debug Directories<br>|<br>|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Time Type&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Size&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RVA&nbsp; Pointer<br>|&nbsp;&nbsp;&nbsp; -------- ------ -------- -------- --------<br>|&nbsp;&nbsp;&nbsp; 54DE53A8 cv&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 46 00052F60&nbsp;&nbsp;&nbsp; 51760 ... E:\\delivery\\Dev\\wix37\\build\\ship\\x86\\burn.pdb<\/p><\/pre>\n<p>So Microsoft's developers are using an old WiX Toolkit, known as vulnerable. I'm not fit in versioning \u2013 but Stefan Kanthak told me, the installer was created with Visual Studio 2010 for use under Windows XP and newer Windows NT versions. In February 2015, however, Windows XP had long since fallen out of support (support ended in April 2014). <\/p>\n<p>The excerpt above also shows that the installer depends on a bunch of DLLs. These DLLs are not considered as 'known DLLs' by Windows. This means: During installation, malware could replace these files in the directory with the installation files and latch into the installation. I had mentioned the possible problems within my blog post <a href=\"https:\/\/borncity.com\/win\/2018\/08\/11\/psa-classic-shell-is-now-open-shell-menu-and-a-warning\/\">PSA: Classic Shell is now Open Shell Menu \u2013 and a warning<\/a>. <\/p>\n<p>The list of potential problems and vulnerabilities Stefan Kanthak sent me continues in this vein &#8211; I spare them. To sum it up: Microsoft is using outdated and vulnerable tools to create a runtime redistributable, that has been installed on Million Windows systems. Kanthak informed Microsoft about this &#8211; without anything happening. The colleagues at The Register have just <a href=\"https:\/\/www.theregister.co.uk\/2018\/08\/22\/microsoft_installers_fail\/\" target=\"_blank\">taken that up<\/a>. What's going on at Microsoft right now?<\/p>\n<p><strong>Similar articles<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2018\/08\/11\/psa-classic-shell-is-now-open-shell-menu-and-a-warning\/\">PSA: Classic Shell is now Open Shell Menu \u2013 and a warning<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/07\/18\/security-flaws-in-mdop-mbam-july-2018-update-kb4340040\/\">Security flaws in MDOP\/MBAM July 2018 Update KB4340040<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/08\/20\/windows-10-and-the-onedrive-vulnerabilities-part-1\/\">Windows 10 and the OneDrive vulnerabilities<\/a> \u2013 Part 1<br \/><a href=\"https:\/\/borncity.com\/win\/2018\/08\/20\/windows-10-and-the-onedrive-vulnerabilities-part-2\/\">Windows 10 and the OneDrive vulnerabilities<\/a> \u2013 Part 2<br \/><a href=\"https:\/\/borncity.com\/win\/2018\/08\/20\/windows-10-and-the-onedrive-vulnerabilities-part-3\/\">Windows 10 and the OneDrive vulnerabilities<\/a> \u2013 Part 3<br \/><a href=\"https:\/\/borncity.com\/win\/2018\/02\/21\/security-risk-avoid-7-zip\/\">Security-Risk: Avoid 7-Zip<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2018\/01\/30\/7-zip-vulnerable-update-to-v18-0-1\/\">7-Zip vulnerable \u2013 update to version 18.01<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Here is another hint to vulnerabilities buried in software packages from Microsoft. The Visual C++ runtime packages (VC redistributable) provided by Microsoft are assembled to installer packages with outdated (vulnerable) WiX Toolkit versions.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,1588,194],"class_list":["post-6701","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-visual-c-redistributable","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/6701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=6701"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/6701\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=6701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=6701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=6701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}