Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: How well does Microsoft support (and follow) their mantra "keep your PC updated"?
From: "Thomas D." <whistl0r () googlemail com>
Date: Sat, 11 Aug 2012 22:42:16 +0200

Hi,

I am not sure if I got your point.

First, winsxs is Microsoft's Windows file repository. Every part of
Windows is splitted into components and packages. Every package will be
copied into the winsxs folder.

But the content of the winsxs folder doesn't represent the currently
installed features. So for example you could have the IIS package in
winsxs, but IIS isn't currently installed on your system.
But if you would install IIS now, you won't be prompted for a Windows
installation media, because the package is already in the winsxs folder.

Same applies to updates:
If a new version of a package becomes available (Hotfix, Security Update
or just a normal update), Windows will copy the new package into the
winsxs folder, next to the already existing older version of the
package. This will let the winsxs folder grow, but will also make sure
that you are able to remove *every* package at *every* time you want,
because you are able to reinstall the previous version.

I hope this was clear and nothing new for you. So what's your point?
What's wrong when multiple versions of the Visual C++ runtimes are
present in the winsxs folder? Nothing.
It is only important which version is marked as active.

I agree with you:
It is not nice, to ship installers with outdated components installer.
But it wouldn't be better to release an updated installer every 2
month... So if Microsoft (or any other company) will ship a new program
today, it should be bundled with the latest version of the component
they are using, because if I haven't installed this component at the
moment, I don't want to be vulnerable *after* I install a new product
(BTW: Did you ever noticed the end of the Office installation? Microsoft
is prompting you to visit Windows updates, just because they know that
they will have installed a product/components, which are already out of
date).
From my experience, Windows Updates is keeping my Windows components
like Visual C++ runtimes up to date:

<http://f.666kb.com/i/c6auyx3go8yvhktuo.jpg>

So if you noticed an undetected old version, this is a bug and should be
reported to Microsoft. They often re-release Windows Updates because of
wrong/improved detections.

Regarding VC++ 2005 is end of life:
If you are expecting, that programs compiled against a specific runtime
version will be recompiled, just because the runtime is end of life, you
are wrong and - from my point of view - have not understand how runtimes
will be used and why it isn't really a risk.

But as I said in the beginning, maybe I didn't get your point.


-- 
Regards,
Thomas



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault