mailing list archives
Defense in depth -- the Microsoft way (part 4)
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Mon, 22 Jul 2013 21:42:27 +0200
Microsoft distributes (security critical) updates for Windows components
and Microsoft products installed on user systems via "Windows/Microsoft
Update" and installs them automatically.
Except in some VERY common cases...
For the incorporation of redistributable components like the MSVCRT, MFC,
ATL etc. in MSI installer packages of other (including 3rd party) products
Microsoft provides so-called "MSI merge modules" *.MSM with Visual Studio.
This is primarily a convenience for the packager/developer and the
user/consumer, since both dont have to handle the (typically larger)
standalone "redistributable packages" of the included components from
their "main" installer package.
The files included in these MSI merge modules are installed in the same
locations as their standalone "redistributable packages" do.
But... Windows Update Agent doesnt detect vulnerable/outdated files
installed via MSI merge modules: some of the meta-data which is written
by the standalone "redistributable packages" is not written by the MSI
merge modules and lets Windows Update Agent fail to detect them properly.
The result: all Windows installations where
* Microsoft products like Microsoft Security Essentials, Windows Defender,
Forefront Security, Microsoft Office <anything>, Microsoft Sharepoint
<anything>, Microsoft SQL Server <anything>, .NET Framework 2.0/3.0/3.5,
which come with outdated and vulnerable MSI merge modules, are installed,
* 3rd party products like Adobe Reader/Acrobat and numerous others of
numerous other developers/companies, which come with outdated and
vulnerable MSI merge modules, are installed,
* the current version of the standalone "redistributable packages" of the
resp. MSCVRT, MFC, ATL etc. are NOT installed,
are (potentially) VULNERABLE!
PS: if you want to check your own Windows installations: get FILEVER.EXE
(the download link in <http://support.microsoft.com/kb/913111> points
to an older version), start a command prompt and run the following
FILEVER.EXE /S %SystemRoot%\WinSxS\MSVC*.DLL
FILEVER.EXE /S %SystemRoot%\WinSxS\MFC*.DLL
FILEVER.EXE /S %SystemRoot%\WinSxS\ATL*.DLL
FILEVER.EXE /S %SystemRoot%\WinSxS\MSDIA*.DLL
FILEVER.EXE /S %SystemRoot%\WinSxS\VCOMP*.DLL
FILEVER.EXE %SystemRoot%\SysNative\MSVC*.DLL (x64 only)
FILEVER.EXE %SystemRoot%\SysNative\MFC*.DLL ...
FILEVER.EXE %SystemRoot%\SysNative\ATL*.DLL ...
FILEVER.EXE %SystemRoot%\SysNative\MSDIA*.DLL ...
FILEVER.EXE %SystemRoot%\SysNative\VCOMP*.DLL ...
If the output shows DLLs with version numbers less than listed in
you should fetch the resp. "redistributable packages" and install
them (as stated in the FAQ section of
Don't forget to file file bug reports against any product that
installed the outdated DLLs.
PPS: if you find any of these DLLs in %ProgramFiles%, %ProgramFiles(x86)%
or other locations: remove them!
Then ask the developers/vendors who installed them there to take a
REALLY THOROUGH look at <http://support.microsoft.com/kb/835322>!
And don't forget to file file bug reports against any product that
installed OUTDATED DLLs there!
- Defense in depth -- the Microsoft way (part 4) Stefan Kanthak (Jul 23)