"Dennis E. Hamilton" <dennis.hamil...@acm.org> wrote: > One correction: jsc.exe is a JavaScript command line processor. J# is not > and must not be shipped in Windows. > > The opinion about the .NET Framework notwithstanding, the presumption that > these utilities are defective because they were built with older versions of > Visual C (and its libraries, presumably) does not imply existence of > defects.
These utilities are just the anchor; the very point is that Microsoft ships SUPERCEEDED and VULNERABLE versions of the Visual C++ 2005 runtime with (certain versions) of Windows and other products, against their own recommendation: | In the case where a system has no MFC applications currently installed | but does have the vulnerable Visual Studio or Visual C++ runtimes | installed, Microsoft recommends that users install this update as a | defense-in-depth measure, in case of an attack vector being introduced | or becoming known at a later time. > I see third-party software that also employ older redistributables, > some back to 2005. "Same old sin"! This does neither justify Microsoft's nor the 3rd parties BAD behaviour, which puts users/customers at risk! And the arguement is NOT about "older" components, but either end-of-life or superceeded components: the former may have unknown or unpublished vulnerabilities, while the latter have known and published vulnerabilities. JFTR: the MSVCRT shipped with Windows 7 is in the latter category! Not only Microsoft repeats the mantra "keep your software up-to-date" over and over again, but doesn't live it! > It is an interesting questions why it is expedient to install these > everywhere, whatever their vintage, just like cmd.exe. It would be valuable > to know what the dependencies on these are and for whom is it convenient > that they are always there. That's just the icing on the cake. stay tuned Stefan > -----Original Message----- > From: Fulldisclosure <fulldisclosure-boun...@seclists.org> On Behalf Of > Stefan Kanthak > Sent: Monday, February 24, 2020 09:06 > To: fulldisclosure@seclists.org > Cc: bugt...@securityfocus.com > Subject: [FD] Defense in depth -- the Microsoft way (part 62): Windows > shipped with end-of-life components > > Hi @ll, > > since Microsoft Server 2003 R2, Microsoft dares to ship and install the > abomination known as .NET Framework with every new version of Windows. > > Among other components current versions of Windows and .NET Framework > include > > C# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe, > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe) > J# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe, > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\jsc.exe) > VB# compiler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe) > resource converter > (C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe, > > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe) > IL assembler (C:\Windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe, > C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe) > assembly linker (C:\Windows\Microsoft.NET\Framework\v2.0.50727\al.exe) > > Microsoft builds (not just) these programs with Visual C 2005, an > UNSUPPORTED product that reached its end-of-life on 2016-04-12: see > <https://support.microsoft.com/en-us/lifecycle/search?alpha=Visual%20C%20200 > 5> > > Of course these programs are linked to the equally UNSUPPORTED Visual C > 2005 runtime that also reached its end-of-life 2016-04-12, which Microsoft > but nevertheless still dares to ship as side-by-side component: > > [ ... ] _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/