Security update for Microsoft Visual C++ 2008 (vcredist

Discussion:

Security update for Microsoft Visual C++ 2008 (vcredist_x86.exe)

Axel.Pettinger

2010-02-14 15:01:30 UTC

Hi,

After installing Nmap's vcredist_x86.exe (v9.0.30729.17) on Windows 7
I noticed that Windows Update wanted to install a security update:

Microsoft Visual C++ 2008 Redistributable Package (KB973924)
http://go.microsoft.com/fwlink/?LinkID=158264 redirects to

MS09-035: Description of the ATL for Smart Devices security update for
Visual Studio 2008: August 11, 2009
http://support.microsoft.com/kb/973674

The KB article points to:
Microsoft Security Bulletin MS09-035 - Moderate
Vulnerabilities in Visual Studio Active Template Library Could Allow
Remote Code Execution (969706)
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx

According to the security bulletin KB973924 belongs to:
Visual Studio 2008 ATL for Smart Devices Security Update
http://www.microsoft.com/downloads/details.aspx?familyid=e3bb6602-b7f4-4614-9999-77f5c6f66ccd&displaylang=en

That update is a big one, my computer only downloaded a small file:
http://download.windowsupdate.com/msdownload/update/software/secu/2009/07/atl90sp1-kb973924-x86_80b879911be205de69d7c59ea97f8169ff7b882e.exe

Maybe the vcredist_x86.exe in the Nmap 5.21 archive should be replaced
with the latest version (v9.0.30729.4148) to avoid the notification
about the missing security update:

Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL
Security Update
http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en
->
http://download.microsoft.com/download/9/7/7/977B481A-7BA6-4E30-AC40-ED51EB2028F2/vcredist_x86.exe

Regards
Axel Pettinger

David Fifield

2010-03-03 01:07:40 UTC

Permalink

Post by Axel.Pettinger
After installing Nmap's vcredist_x86.exe (v9.0.30729.17) on Windows 7
Microsoft Visual C++ 2008 Redistributable Package (KB973924)
http://go.microsoft.com/fwlink/?LinkID=158264 redirects to
MS09-035: Description of the ATL for Smart Devices security update for
Visual Studio 2008: August 11, 2009
http://support.microsoft.com/kb/973674
Microsoft Security Bulletin MS09-035 - Moderate
Vulnerabilities in Visual Studio Active Template Library Could Allow
Remote Code Execution (969706)
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
Visual Studio 2008 ATL for Smart Devices Security Update
http://www.microsoft.com/downloads/details.aspx?familyid=e3bb6602-b7f4-4614-9999-77f5c6f66ccd&displaylang=en
http://download.windowsupdate.com/msdownload/update/software/secu/2009/07/atl90sp1-kb973924-x86_80b879911be205de69d7c59ea97f8169ff7b882e.exe
Maybe the vcredist_x86.exe in the Nmap 5.21 archive should be replaced
with the latest version (v9.0.30729.4148) to avoid the notification
Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL
Security Update
http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en
->
http://download.microsoft.com/download/9/7/7/977B481A-7BA6-4E30-AC40-ED51EB2028F2/vcredist_x86.exe

Thanks for doing all this research and providing the links. The best
summary of the whole situation I could find was from your link to
ms09-035.mspx:

This security update is specifically intended for developers of
components and controls. Developers who build and redistribute
components and controls using ATL should install the update
provided in this bulletin and follow the guidance provided to
create, and distribute to their customers, components and
controls that are not vulnerable to the vulnerabilities
described in this security bulletin.

I can't pretend to understand all of what this is about, but it seems it
doesn't lead to any security vulnerability in Nmap? The discussion seems
mostly to be about ActiveX controls, and that the presence of the
version of the file we install could open vulnerabilities in other
programs.

Anyway, I've installed the updated file in r16916.

Before this, I still had version 9.0.30729.17 installed. I have
automatic updates turned on, but it must not have offered the newer
version to me. Do you have any idea why you got offered an update but I
didn't? This is on XP SP3.

Do you know if there's an automatic way to find the latest version of
the file? If I go to the download page for the pre-ATL fix version,

http://www.microsoft.com/downloads/details.aspx?familyid=A5C84275-3B97-4AB7-A40D-3802B2AF5FC2&displaylang=en

I don't see any notice that the version for download there has a
vulnerability and that I should instead install the newer version,

http://www.microsoft.com/downloads/details.aspx?familyid=2051a0c1-c9b5-4b0a-a8f5-770a549fd78c&displaylang=en

What I'm asking is, is there a way to check if the version we're using
has been replaced, without searching the contents of security
advisories?

David Fifield

Michael Pattrick

2010-03-03 02:41:52 UTC

Permalink

Post by David Fifield
I can't pretend to understand all of what this is about, but it seems it
doesn't lead to any security vulnerability in Nmap? The discussion seems
mostly to be about ActiveX controls, and that the presence of the
version of the file we install could open vulnerabilities in other
programs.

Hey David,

A good metric for determining if your software is vulnerable can be
found at [0]. Succinctly, because Nmap doesn't use Microsofts
proprietary COM interface, we have nothing to worry about.

If memory serves, patch action was really only required for Microsoft
Visual Studio developers, not runtime distributions; because affected
programs needed to be recompiled with the new headers, whereas
Microsoft is nice enough to automatically push down this update
automatically via windows update to end users.

Cheers,
Michael

[0] http://msdn.microsoft.com/en-us/visualc/ee309358.aspx