Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: no newer version available for Visual C

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft Visual C++ 2008 Redistributable Package

This thread has been marked as locked.
jeepee999 no newer version available for Visual C
Member 29th Jul, 2010 20:51
Ranking: 1
Posts: 8
User Since: 11th Jun, 2010
System Score: N/A
Location: N/A
Last edited on 29th Jul, 2010 20:57

I get the message that Microsoft Visual C is unsafe.
I am using win7 64bit.
When I click the link for a solution I get a this link :

http://www.microsoft.com/downloads/details.aspx?fa...

Which was published 28-07-2009, a year ago!
That seems strange to me.
I did not download it I assume this is a mistake.

Am I right?

JP

Maurice Joyce RE: no newer version available for Visual C
Handling Contributor 29th Jul, 2010 21:07
Score: 11610
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
This "programme" is on my Windows 7 64 Bit. Have U checked Windows Update via the Action Centre?

Have U hidden any Microsoft Updates?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
jeepee999 RE: no newer version available for Visual C
Member 29th Jul, 2010 21:15
Score: 1
Posts: 8
User Since: 11th Jun 2010
System Score: N/A
Location: N/A
Hi.

I have no hidden updates and there are no updates available.

JP
Was this reply relevant?
+0
-0
pevedebe RE: no newer version available for Visual C
Member 29th Jul, 2010 21:18
Score: 0
Posts: 2
User Since: 10th May 2010
System Score: N/A
Location: N/A
I concur with the observations. I get exactly the same report and the same info applies. This MUST be a mistake from secunia!
Was this reply relevant?
+0
-0
jeepee999 RE: no newer version available for Visual C
Member 29th Jul, 2010 21:20
Score: 1
Posts: 8
User Since: 11th Jun 2010
System Score: N/A
Location: N/A
Yesterday I scanned and there were no unsafe programs today it gave this message.


JP
Was this reply relevant?
+0
-0
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 29th Jul, 2010 21:21
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 29th Jul, 2010 21:44
Check the installation path. It could be an application has its own copy.

Update

I've just done a scan on Vista and it picks this up too, plus the debugger in Visual Studio. So, unless something has changed today, it looks like a false positive.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
ffrock RE: no newer version available for Visual C
Member 30th Jul, 2010 02:32
Score: 1
Posts: 1
User Since: 3rd Apr 2010
System Score: N/A
Location: N/A
Although it is old, the update patched 1 of 2 hits (it didn't touch the copy in the debugger). I also didn't get any indication of a problem from Microsoft Update. Since one of the hits went away, I think it may be that this threat, while old, was not caught by PSI until now (or the date on the Microsoft patch is off).

Either way, has anyone been able to patch the debugger? So far I haven't found a way to get that one fixed.

Thanks.
Was this reply relevant?
+1
-0

ferb82

RE: no newer version available for Visual C
[+]
This reply has been minimised due to a negative Relevancy Score.
SubActif RE: no newer version available for Visual C
Member 30th Jul, 2010 05:10
Score: 0
Posts: 1
User Since: 19th Feb 2010
System Score: N/A
Location: N/A
Download : http://download.microsoft.com/download/9/7/7/977B4...

And your problem will be solved
Was this reply relevant?
+0
-0
M.Hansen RE: no newer version available for Visual C
Secunia Official 30th Jul, 2010 08:21
Score: 188
Posts: 410
User Since: 26th Jan 2009
System Score: N/A
Location: Copenhagen, DK
Hi

We updated our detection rules for "Microsoft Visual C++ 2008 Redistbutable Package" yesterday, since we discovered that it wasn't detected properly.

Users should apply the updates provided in the Microsoft KB article.

(Note that there is a x64 and a x86 bit update, depending on which one you need)
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 30th Jul, 2010 16:00
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I installed KB973552 (although I'm not convinced it is necessary when KB973924 is installed) and it removed the insecurity in C:\Program Files\Common Files . However, I still have an insecurity in C:\Program Files\Microsoft Visual Studio 9.0\Common7\Packages\Debugger\msdia90.dll , file version 9.0.30729.1.

I can't find anything on Microsoft Download Center which updates this file. Would KB971092 affect this? It doesn't seem to apply to Express Edition and, as it is 365MB, I don't want to download it unnecessarily.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+3
-0
jeepee999 RE: no newer version available for Visual C
Member 30th Jul, 2010 19:13
Score: 1
Posts: 8
User Since: 11th Jun 2010
System Score: N/A
Location: N/A
I installed the updates and the message of unsafe software is gone.
Strange that windows update does not update is.

JP
Was this reply relevant?
+2
-3
jeepee999 RE: no newer version available for Visual C
Member 30th Jul, 2010 19:13
Score: 1
Posts: 8
User Since: 11th Jun 2010
System Score: N/A
Location: N/A
I installed the updates and the message of unsafe software is gone.
Strange that windows update does not update is.

JP
Was this reply relevant?
+4
-2
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 30th Jul, 2010 20:23
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
This update is not available from Microsoft Update. This is hidden away in the Security Bulletin:

Why do the Microsoft Download Center update KB numbers for Visual C++ Redistributable packages differ from the SMS, SCCM, WSUS and MU update KB numbers?
The full versions of the fixed Visual C++ 2005 and 2008 redistributable packages (KB973544, KB973551, and KB973552) are listed on the Microsoft Download Center only as these are full new versions of the products. The updates listed on SMS, SCCM, WSUS, and MU (KB973923, KB9739234) are updates only for customers who have previously installed vulnerable versions of the Visual C++ redistributable packages. These updates are not the versions on the download center. Microsoft does not recommend customers redistribute any version other than the full versions that can be downloaded from the Microsoft Download Center (KB973544, KB973551, and KB973552).


It seems you got KB973924 from Microsoft Update if you had a vulnerable Visual C++ redistributable already.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
getsmart37 RE: no newer version available for Visual C
Member 1st Aug, 2010 11:53
Score: 6
Posts: 23
User Since: 30th May 2010
System Score: N/A
Location: AU
I do not want to any thing wrong here but I am also having the same concern.
I have posted it in PSI possibly the wrong FORUM any way

I do not have any hidden updates.
I have checked MS and all my updates are up to date.

The same question where did this come from and how is it fixed

These 2 insecure programs came up Fri 30th July 10

Microsoft Visual C++ 2008 Redistributable Package 9.0.210022.218
Microsoft Visual C++ 2008 Redistributable Package (64-bit)9.0.210022.8

What are these and what are they for?
If required which one do I use?



Keith
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 1st Aug, 2010 12:03
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
Last edited on 1st Aug, 2010 12:23
M.Hansen (Secunia Official) said:
on 30th Jul, 2010 08:21, M.Hansen wrote:
Hi

We updated our detection rules for "Microsoft Visual C++ 2008 Redistbutable Package" yesterday, since we discovered that it wasn't detected properly.

Users should apply the updates provided in the Microsoft KB article.


Not very meaty because there were no insecurity advice before and now there are 4 wich all point to one and the same recommended update which is a year old.

If I install the update anyway against all doubts it fixes only 1 advice and the others (9.0.30729.1) still remain and can not be serviced because the reinstallaition of the same update doesn't work.

I think Secunia has to fix something and not we - right?
Was this reply relevant?
+1
-0
captain_k RE: no newer version available for Visual C
Member 1st Aug, 2010 13:04
Score: 0
Posts: 4
User Since: 1st Aug 2010
System Score: N/A
Location: AU
I get the same "insecurities" on my Windows7 64bit machine, but my XP Pro 32bit laptop is showing none. I don't know much about it but I wouldn't expect this inconsistency. Perhaps someone will enlighten me.

best regards

Rick Canham
Was this reply relevant?
+0
-0
ivart RE: no newer version available for Visual C
Member 1st Aug, 2010 13:07
Score: 0
Posts: 1
User Since: 7th Mar 2010
System Score: N/A
Location: N/A
When I had a look in Revo Uninstaller I saw that all of my Visual C++ Redist. packages installed was of the x86- type, even though my OS is w7 64. So I downloaded the x86-file from the link provided and the problem was fixed.
Was this reply relevant?
+0
-0
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 1st Aug, 2010 13:08
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
@LarryLeather

Are the files which didn't get patched in C:\Program Files\Microsoft Visual Studio 9.0 ?
I haven't a solution; I'd just like to know.l

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
Maurice Joyce RE: no newer version available for Visual C
Handling Contributor 1st Aug, 2010 13:16
Score: 11610
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Keith,
Good Evening. I cannot answer whether Secunia need to tweak their new detection rule but in your case U clearly have a different version to me. I am secure with Windows 7 64 Bit.

For a 64 Bit U should have 4 entries in Control Panel>add/remove.

They are listed under the heading Microsoft Visual C++ as follows:

2008 Redistributable - x649.0.30729.17

2008 Redistributable - x649.0.30729.4148

The details for 32 Bit are shown exactly the same minus the x64 bit. Total 4 entries.

PSI should be showing 2 entries which look alike except for the 64 Bit clearly showing on one entry. the version number for both is 9.0.30729.4148.

This update was issued by Microsoft on 22/12/2009 via Windows Update. Worth checking back on your update history to see what is going on.

Hope this helps.


12:13 01/08/2010






--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
LarryLeather RE: no newer version available for Visual C
Member 1st Aug, 2010 13:35
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
Last edited on 1st Aug, 2010 13:55
I have Windows Vista 32bit
and installed:
VS 2008 9.0.30729.1 SP
(+ some tools/libs/SDKs like CUDA, Qt, Power commands etc.
btw.: DIA = Debug Interface Access)

The 3 remaining advices and their paths are:

Microsoft Visual C++ 2008 Redistributable Package
C:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\bin\msdia90.dll

Microsoft Visual C++ 2008 Redistributable Package (64-bit)
C:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\bin\amd64\msdia90.dll

Microsoft Visual C++ 2008 Redistributable Package
C:\Program Files\Microsoft Visual Studio 9.0\Common7\Packages\Debugger\msdia90.dll

... hope this helps
Was this reply relevant?
+3
-0
jaddi27 RE: no newer version available for Visual C
Member 1st Aug, 2010 13:57
Score: 1
Posts: 2
User Since: 22nd Dec 2008
System Score: N/A
Location: AU
on 1st Aug, 2010 13:35, LarryLeather wrote:
I have Windows Vista 32bit
and installed:
VS 2008 9.0.30729.1 SP
(+ some tools/libs/SDKs like CUDA, Qt, Power commands etc.
btw.: DIA = Debug Interface Access)

The 3 remaining advices and their paths are:

Microsoft Visual C++ 2008 Redistributable Package
C:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\bin\msdia90.dll

Microsoft Visual C++ 2008 Redistributable Package (64-bit)
C:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\bin\amd64\msdia90.dll

Microsoft Visual C++ 2008 Redistributable Package
C:\Program Files\Microsoft Visual Studio 9.0\Common7\Packages\Debugger\msdia90.dll

... hope that helps


I have the same locations showing up in PSI. I am running VS2008 SP1 on a Win 7 Pro machine.
Would it be possible to simply copy the msdia90.dll file from
C:\Program Files\Common Files\microsoft shared\VC
to overwrite the other files? I presume I could only replace the 32bit files with this one, and not the 64bit one. Would this be feasible?

Hopefully it can be sorted out soon.
Joel
Was this reply relevant?
+2
-1
LarryLeather RE: no newer version available for Visual C
Member 1st Aug, 2010 14:12
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
I wouldn't recommend doing things like this - better to ignore the issues of PSI until a fix may be made.
Was this reply relevant?
+2
-0
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 1st Aug, 2010 14:17
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
@LarryLeather

Thanks for that. Same for me. I'm thinking of just ignoring these. I don't know if overwriting these with the updated versions is the thing to do. It would stop the Secunia detection, but it's only the module that's being used for detection, not necessarily where the vulnerability is.

@captain k

Have you checked that Visual C++ 2008 is installed on your XP system with Add/Remove Programs? If you've got older programs only on it, you may not need it.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
captain_k RE: no newer version available for Visual C
Member 1st Aug, 2010 15:45
Score: 0
Posts: 4
User Since: 1st Aug 2010
System Score: N/A
Location: AU
Last edited on 1st Aug, 2010 15:46
on 1st Aug, 2010 14:17, ddmarshall wrote:


@captain k

Have you checked that Visual C++ 2008 is installed on your XP system with Add/Remove Programs? If you've got older programs only on it, you may not need it.


Hi ,
Good point, and silly of me not to check. Only Visual C++2005 is showing. Duh!

I'm going to leave my W7 64bit system alone and wait for further comment from Secunia.

best regards
Rick Canham
Was this reply relevant?
+0
-0
getsmart37 RE: no newer version available for Visual C
Member 2nd Aug, 2010 07:59
Score: 6
Posts: 23
User Since: 30th May 2010
System Score: N/A
Location: AU
This is a copy of my reply to Maurice in the PSI Forum


Maurice

Could this be that answer ?

I installed MS7 on 10.3.10

Keith
*********************

Why all of a sudden this pops up.
When I did installation of W7 and every other update how come it never showed up before.

Keith
Was this reply relevant?
+0
-0
dana-se RE: no newer version available for Visual C
Member 2nd Aug, 2010 09:12
Score: 0
Posts: 3
User Since: 5th Dec 2009
System Score: N/A
Location: N/A
Last edited on 2nd Aug, 2010 09:13
I installed a new computer with Windows 7 x64 and all its updates 2010-08-01.
And the programs I have installed so far are Office 2010 std and Secunia PCI.

I can see 2 entries in Control Panel>add/remove.

Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17

PSI is complaining about the file
C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll
File version: 9.0.30729.1
Date modified: 2008-07-29 12:49

Windows Update says that there are "No important updates available"
But PSI says that Microsoft Visual C++ 2008 Redistributable is insecure.

Is this a Microsoft problem or what.

Dan
Was this reply relevant?
+0
-0
Maurice Joyce RE: no newer version available for Visual C
Handling Contributor 2nd Aug, 2010 09:58
Score: 11610
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 2nd Aug, 2010 10:06
@dana-se

Withdrawn - rechecking detail.

Sorry for the edit:

My original information was correct. The file that should be showing in that location is:

9.0.30729.4148 dated 12/7/2009.

This was a result of my fully updating Windows after a delivery of a new PC on 22/12/2009. The update is rated as important.

Have U got an entry in the Windows Update history relating to C++?



--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
dana-se RE: no newer version available for Visual C
Member 2nd Aug, 2010 10:28
Score: 0
Posts: 3
User Since: 5th Dec 2009
System Score: N/A
Location: N/A
As far as I can see I have no entry in the Windows Update history relating to C++.

But I installed the update you suggested “Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update”, even if it already was installed, and now msdia90.dll shows 9.0.30729.4148 dated 12/7/2009.

1 entry in Control Panel>add/remove Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 changed date to 2010-08-02

So I think there was a problem with Windows Update.

Thanks

Dan
Was this reply relevant?
+0
-0
Maurice Joyce RE: no newer version available for Visual C
Handling Contributor 2nd Aug, 2010 10:40
Score: 11610
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I agree very odd - are U saying U are now in the Yippee Class & fully secure again?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
dana-se RE: no newer version available for Visual C
Member 2nd Aug, 2010 10:52
Score: 0
Posts: 3
User Since: 5th Dec 2009
System Score: N/A
Location: N/A
Yes, I'm now 100% secure again!

--
Dan
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 2nd Aug, 2010 13:23
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
I examined something and it rather seems to be a microsoft issue:

The DIA SDK seems to be a part of VS 2008 IDE and was installed with it.
The safety-update vcredist_x86.exe from 12.07.2009 (the update suggested from PSI) only replaces the runtime version of DIA (c:\Program Files\Common Files\microsoft shared\VC\msdia90.dll) but not the files of the SDK itself (under c:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\) and so PSI correctly still found these.

But to overwrite the msdia90.dll in these locations doesn't help realy because if you want to develop software with DIA SDK you need the SDK-files. And the headers and lib-files wouldn't fit to this new dll.
What we need is the complete DIA SDK from Microsoft and not only the runtime file.

But I didn't found anything at microsoft what updates the files under the DIA SDK directory too.
Anyone an idea where to find a complete Version or Update of DIA SDK?
May be a job for Secunia.

So, until that happens, the only way is not to develop software which use the DIA SDK
... unless you want to develop some virus ;)
Was this reply relevant?
+3
-0
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 2nd Aug, 2010 13:27
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
on 30th Jul, 2010 20:23, ddmarshall wrote:
This update is not available from Microsoft Update. This is hidden away in the Security Bulletin:

Why do the Microsoft Download Center update KB numbers for Visual C++ Redistributable packages differ from the SMS, SCCM, WSUS and MU update KB numbers?
The full versions of the fixed Visual C++ 2005 and 2008 redistributable packages (KB973544, KB973551, and KB973552) are listed on the Microsoft Download Center only as these are full new versions of the products. The updates listed on SMS, SCCM, WSUS, and MU (KB973923, KB9739234) are updates only for customers who have previously installed vulnerable versions of the Visual C++ redistributable packages. These updates are not the versions on the download center. Microsoft does not recommend customers redistribute any version other than the full versions that can be downloaded from the Microsoft Download Center (KB973544, KB973551, and KB973552).


It seems you got KB973924 from Microsoft Update if you had a vulnerable Visual C++ redistributable already.



Microsoft issued KB973924, which you had, to fix the vulnerability. Secunia do not seem to think this enough. KB973552 is not available from Windows update.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 2nd Aug, 2010 13:50
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
@LarryLeather

Microsoft issued KB971092 for Visual Studio at the same time as the update to the redistributable. Windows Update hasn't attempted to download it for my Express Edition and I haven't attempted to get it from the download center because of its size. In any case, the file Secunia is detecting doesn't seem to be replaced.

http://support.microsoft.com/kb/971092

http://www.microsoft.com/downloads/details.aspx?fa...

Here's some more information you could review to see if this is a problem for you.

http://msdn.microsoft.com/en-us/visualc/ee309358.a...

http://blogs.technet.com/b/srd/archive/2009/07/28/...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
LarryLeather RE: no newer version available for Visual C
Member 2nd Aug, 2010 14:25
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
Last edited on 2nd Aug, 2010 14:26
Thank you, but I didn't found any what updates the files under the DIA SDK directory.
What I need is a complete updated DIA SDK - not only the runtime dll.
Was this reply relevant?
+0
-0
bjm__ RE: no newer version available for Visual C
Member 2nd Aug, 2010 17:21
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 2nd Aug, 2010 17:39
sorry, moved my post to correct Topic
Was this reply relevant?
+0
-0
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 2nd Aug, 2010 21:22
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
@LarryLeather

My reading of the Microsoft literature is that KB971092 fixes the vulnerable ATL libraries in VS 2008. The problem is that Secunia is using msdia90.dll to identify the version of the redistributable, although msdia90.dll is not where the vulnerabilities are. If the commercial CSI users are having the same problems, I guess Secunia will sort this out.

It looks like you only have problems if you are using VS to develop COM objects. Maybe time to update to VS 2010.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 2nd Aug, 2010 23:28
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
Do you mean, that msdia90.dll has NO vulnerability and PSI is totally on the wrong path?

msdia90.dll is the runtime-dll of DIA (Debug Interface Access) which provides access to debug information stored in program database (.pdb) files and has nothing to do directly with ATL.

For me it seems more to be another building site what you talk about, because what I have read in KB971092 is that it is primarily about ActiveX problems what is an old subject as everybody knows.

Btw: ActiveX are not the only COM-Objects and therefore no need for me to update to VS 2010. ;)

Was this reply relevant?
+0
-0
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 3rd Aug, 2010 00:01
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Exactly. These fixes are for the July 2009 ATL vulnerability. My understanding is that Secunia needs to find a file which enables it to determine which version of a product is installed. This is not necessarily the file that has a vulnerability. The updates on Microsoft Update only shipped the files that needed to be changed. So msdia90.dll was not changed.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 3rd Aug, 2010 00:20
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
Last edited on 3rd Aug, 2010 00:23
on 3rd Aug, 2010 00:01, ddmarshall wrote:
My understanding is that Secunia needs to find a file which enables it to determine which version of a product is installed. This is not necessarily the file that has a vulnerability.


No, I don't think so. In nearly all files are version infos, why not focus the correct files?

on 3rd Aug, 2010 00:01, ddmarshall wrote:
So msdia90.dll was not changed.


msdia90.dll was changed like suggested in PSI and 1 advice is gone! But the other same msdia90.dll in the DIA SDK-dir were not changed. Thats the issue!
Was this reply relevant?
+0
-0
getsmart37 RE: no newer version available for Visual C
Member 3rd Aug, 2010 07:51
Score: 6
Posts: 23
User Since: 30th May 2010
System Score: N/A
Location: AU
Yesterday Aug 2nd I had to contact MS re an Outlook10 concern.

While I was talking to the Technican (who had control of my computer) we went to the Secunia link and I showed him the insecures listed on my computer.

He explained that they were OK and just go ahead and download the correct link/s

I went to my Control Panel > Programs and Features and that program was installled.

Next morning I downloaded as recommended by Secunia and all OK. Then up popped another one from MS an Update.

Secunia notified me before MS did well done3 Secunia.

I very strongly suggest if you are having any problems with this update contact MS and talk to a technican and it will all be explained to you.

Keith
Was this reply relevant?
+1
-0
This user no longer exists RE: no newer version available for Visual C
Member 3rd Aug, 2010 09:10
Hi,

The PSI uses file information to detect programs and extract version info. Since these detection rules are created seperately from version rules (That determine the latest secure versions), the file pointed out by the PSI is not necessarily the vulnerable file. It will simply be the file that contains the version information we need.

The real source of information about insecure files and so on is usually our advisory, which will also contain links to the Microsoft Security bullitin for Microsoft products.

hope this helps.
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 3rd Aug, 2010 09:44
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
Last edited on 3rd Aug, 2010 09:58
Ok - but in this case we have still 3 problems!

1. I have totally 4(!) msdia90.dll and only the one in the shared folder is replaced through the update, not the others in the SDK- and Packages\Debugger-Folder (which is also part of VS 2008).

2. PSI still detects the other ones and so I have still 3 other advices.

3. They all point to the same update which can't be installed a 2nd time and even if it would be so, it would still not replace the other msdia90.dll. So I can't get shot of the 3 advices!

I want to have a clean score in PSI but under this circumstances it is not possible!

EDIT: Ok, I can make rules, that would be a workaround! But it would be better if PSI knows it by itself - without userwork ;)
...maybe in the future.
Was this reply relevant?
+0
-0
This user no longer exists RE: no newer version available for Visual C
Member 3rd Aug, 2010 10:32
Hi,

As you might know, the PSI only reports vulnerabilities and link vendor solutions. We do not prepare the patches ourself. Therefore, we have no control over whether an embedded copy of the distributable is shipped with third-party software, and put into locations where it cannot be patched.

However, if you post the paths of all your installations of The Visual C++ Runtime, I can correct our rules so the PSI only shows the problems you can solve.
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 3rd Aug, 2010 11:06
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
on 3rd Aug, 2010 10:32, wrote:
We do not prepare the patches ourself.

I know this.

on 3rd Aug, 2010 10:32, wrote:
Therefore, we have no control over whether an embedded copy of the distributable is shipped with third-party software, and put into locations where it cannot be patched.

Thats clear, but the DIA SDK is not 'third-party software' - its from MS and was part of VS 2008 (may be today no more?). But wait... I bought an Upgrade, therefore may be a relict from older versions?

on 3rd Aug, 2010 10:32, wrote:
However, if you post the paths of all your installations of The Visual C++ Runtime, I can correct our rules so the PSI only shows the problems you can solve.

This would be nice. I have done this already some entries before:

on 1st Aug, 2010 13:35, LarryLeather wrote:
I have Windows Vista 32bit
and installed:
VS 2008 9.0.30729.1 SP
(+ some tools/libs/SDKs like CUDA, Qt, Power commands etc.
btw.: DIA = Debug Interface Access)

The 3 remaining advices and their paths are:

Microsoft Visual C++ 2008 Redistributable Package
C:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\bin\msdia90.dll

Microsoft Visual C++ 2008 Redistributable Package (64-bit)
C:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\bin\amd64\msdia90.dll

Microsoft Visual C++ 2008 Redistributable Package
C:\Program Files\Microsoft Visual Studio 9.0\Common7\Packages\Debugger\msdia90.dll

... hope this helps


Thank you
Was this reply relevant?
+0
-0
This user no longer exists RE: no newer version available for Visual C
Member 3rd Aug, 2010 11:28
Hi,

Try scanning again. Any change?
Was this reply relevant?
+0
-0
cvalde RE: no newer version available for Visual C
Member 3rd Aug, 2010 11:53
Score: 11
Posts: 22
User Since: 30th Jul 2009
System Score: N/A
Location: CL
Isn't it strange that only PSI panics?
It asks me to download
http://www.microsoft.com/downloads/details.aspx?fa...
but this is
Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package ATL Security Update
Date Published: 7/28/2009

I downloaded the update again and ran it (for me it's vcredist_x86.exe), rebooted and scanned again with PSI. It still says I'm insecure. I'm not convinced, seems another error in PSI rules.

Windows XP SP3 with all MS patches, PSI 1.5.0.2.
Windows update detects nothing.
MBSA 2.1 detects nothing.

These are the two instances PSI found:
J:\Lang\Microsoft Visual Studio 9.0\DIA SDK\bin\msdia90.dll
J:\Lang\Microsoft Visual Studio 9.0\Common7\Packages\Debugger\msdia90.dll
In both cases, the file version detected is 9.0.30729.1.

C.
Was this reply relevant?
+0
-0
Maurice Joyce RE: no newer version available for Visual C
Handling Contributor 3rd Aug, 2010 12:05
Score: 11610
Posts: 8,906
User Since: 4th Jan 2009
System Score: N/A
Location: UK
What U have not explained is what U use the J drive for?

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+1
-0
LarryLeather RE: no newer version available for Visual C
Member 3rd Aug, 2010 12:16
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
on 3rd Aug, 2010 11:28, wrote:
Hi,

Try scanning again. Any change?


Better, but one remains:
Microsoft Visual C++ 2008 Redistributable Package 9.0.30729.1
C:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\bin\msdia90.dll

Was this reply relevant?
+0
-0
This user no longer exists RE: no newer version available for Visual C
Member 3rd Aug, 2010 12:43
Hi,

Yes, I know. I intentionally left that one out.
Are you saying you still have two copies showing up? If so, I need both paths to correct the rules.
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 3rd Aug, 2010 12:47
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
no, only this one:
on 3rd Aug, 2010 12:16, LarryLeather wrote:
Microsoft Visual C++ 2008 Redistributable Package 9.0.30729.1
C:\Program Files\Microsoft Visual Studio 9.0\DIA SDK\bin\msdia90.dll

Was this reply relevant?
+1
-0
jaddi27 RE: no newer version available for Visual C
Member 3rd Aug, 2010 14:59
Score: 1
Posts: 2
User Since: 22nd Dec 2008
System Score: N/A
Location: AU
Thanks for fixing the rules for the files.

Will the third one eventually be fixed in the rules as well?

Joel
Was this reply relevant?
+0
-0
This user no longer exists RE: no newer version available for Visual C
Member 3rd Aug, 2010 15:04
Hi,

Try now, it should no longer show the embedded versions of Visual C++ redist.

The version that isn't embedded, however, should still be updated, whether or not Windows Update shows it.
Was this reply relevant?
+0
-0
cvalde RE: no newer version available for Visual C
Member 3rd Aug, 2010 15:10
Score: 11
Posts: 22
User Since: 30th Jul 2009
System Score: N/A
Location: CL
Thanks, Emil, the problem is gone.
PSI stopped whining.
:-)

C.
Was this reply relevant?
+0
-0
This user no longer exists RE: no newer version available for Visual C
Member 3rd Aug, 2010 15:13
Hi,

Just so we don't have any unexpected problems, someone please confirm that:

1) You recieved the security alert for the Visual C++ Redistributable
2) Patched it, removing the security thread, leaving only the 3 "Extra" detections
3) Rescanned now, to see it gone.

Just need to make sure there is still detection for this software.
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 3rd Aug, 2010 15:44
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
Last edited on 3rd Aug, 2010 15:47
I confirm that:
1) I received security alert for the Visual C++ Redistributable
2) Patched it, removing the security thread, leaving only the 3 "Extra" detections
3) rescanned now and they gone

now all is clean!
:-)

Thanks Emil!

LL




Was this reply relevant?
+0
-0
This user no longer exists RE: no newer version available for Visual C
Member 3rd Aug, 2010 15:50
Okay, great!

As soon as I hear back from jeepee999 I'll feel safe locking this thread.
Was this reply relevant?
+0
-0
throkr RE: no newer version available for Visual C
Member 3rd Aug, 2010 15:59
Score: 0
Posts: 16
User Since: 1st May 2010
System Score: N/A
Location: BE
Last edited on 3rd Aug, 2010 16:02
@ E. Petersen

Hello,

I posted already today in another thread which is now closed, that's why I'm here.
I'm referring to your earlier suggestion:

"You can get the x64 version here:
http://www.microsoft.com/downloads/details.aspx?Fa...

These versions should show up in Microsoft Update for Windows 7 systems.

hope this helps."

As I said earlier on, the concerned C++2008 Red x64 9.0.30729.17 - C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll was installed during the installation of Agnitum's Outpost Firewall Pro.

So, now I have a few questions if I go for your suggestion:

- if I install this 2010 version, I suppose I can uninstall completely the 2008 version which is causing problems

- as this program is obviously needed by my firewall, will this last one also work with the new installed version ?

- if I have to un and reinstall the firewall in the future, it will probably grab again the 2008 version, so I will have this same issue again & again (this is just a guess; maybe I'm completely wrong)

- with "these versions should show up in Microsoft Update", do you mean in the updates coming through Windows Update ? If this is so, shouldn't I wait till
this moment ?

I'm just very concerned as this is related to the firewall on my machine.

Thank you for this first solution and your further assistance in this matter.

Best regards,



Was this reply relevant?
+0
-0
ddmarshall RE: no newer version available for Visual C
Dedicated Contributor 3rd Aug, 2010 19:03
Score: 1205
Posts: 956
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 3rd Aug, 2010 19:20
This update, KB973552, is not available from Microsoft Update. If you read through all the linked documents, you will find this in the Security Bulletin:

on 30th Jul, 2010 20:23, ddmarshall wrote:


Why do the Microsoft Download Center update KB numbers for Visual C++ Redistributable packages differ from the SMS, SCCM, WSUS and MU update KB numbers?
The full versions of the fixed Visual C++ 2005 and 2008 redistributable packages (KB973544, KB973551, and KB973552) are listed on the Microsoft Download Center only as these are full new versions of the products. The updates listed on SMS, SCCM, WSUS, and MU (KB973923, KB9739234) are updates only for customers who have previously installed vulnerable versions of the Visual C++ redistributable packages. These updates are not the versions on the download center. Microsoft does not recommend customers redistribute any version other than the full versions that can be downloaded from the Microsoft Download Center (KB973544, KB973551, and KB973552).



You need the version of the redistributable that matches the program. If you have KB973924 from Microsoft Update you are secure. In any case the vulnerability only affects certain types of programs and may not apply to your firewall. This vulnerability was released in July 2009. It's only being flagged up because Secunia changed their detection rules last week and they require a full replacement of the redistributable.

Usually when you uninstall a program it will not uninstall the redistributable as well. If you then reinstall the program an existing redistributable will not be overwritten.

If you uninstall the program and the redistributable, hopefully the latest version should be supplied if you reinstall.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
LarryLeather RE: no newer version available for Visual C
Member 3rd Aug, 2010 23:23
Score: 10
Posts: 13
User Since: 30th May 2010
System Score: N/A
Location: N/A
on 3rd Aug, 2010 15:50, wrote:
As soon as I hear back from jeepee999 I'll feel safe locking this thread.

I am not sure whether jeepee999 goes on air again:
on 30th Jul, 2010 19:13, jeepee999 wrote:
I installed the updates and the message of unsafe software is gone.
Strange that windows update does not update is.

JP
Was this reply relevant?
+0
-0
throkr RE: no newer version available for Visual C
Member 4th Aug, 2010 08:54
Score: 0
Posts: 16
User Since: 1st May 2010
System Score: N/A
Location: BE
Last edited on 4th Aug, 2010 08:57
@ dd marshall

Hello,

Thanks for your reply but I think there was a little misunderstanding. I didn't talk about the update proposed by PSI, KB973552, useless for me because it doesn't support Win7 (however I just read in the forum that someone has installed it on Win7 and that it seems to work).
That's why E. Petersen suggested an upgrade to the 2010 version :
http://www.microsoft.com/downloads/details.aspx?Fa...

So, all my questions were referring to this item and as E. Petersen added that this version should be proposed with the Windows Updates for Win7 systems, I was just wondering if I shouldn't wait untill this happens.

Yes, I have KB973924 installed but the one PSI detected as insecure is :
Microsoft Visual C++2008 Redistributable-x64 9.0.30729.17 with the following installation path : C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll (which isn't KB973924).
As mentioned, it was installed by the firewall during its first installation, a few days ago. Obviously, the latest version of the redistributable has not been supplied.
That's why I supposed that un and reinstalling the firewall AND the redistributable would just give the same issue .....

Thanks for all your help.

Best regards,
Was this reply relevant?
+0
-0
E.Jeppesen RE: no newer version available for Visual C
Secunia Official 4th Aug, 2010 09:37
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Last edited on 4th Aug, 2010 09:39
throkr,
Regarding how to update components that are bundled in other software, you can contact the vendor for assistance. Since Agnitum offers security products there should be a procedure to keep their programs patched.
throkr RE: no newer version available for Visual C
Member 4th Aug, 2010 10:00
Score: 0
Posts: 16
User Since: 1st May 2010
System Score: N/A
Location: BE
Last edited on 5th Aug, 2010 11:49
E. Jeppesen,

As I don't want to install unnecessary programs and as the concerned redistributable is obviously bundled with the installation package of Agnitum's firewall, I just contacted them in parallel to my posts here.

Thanks for your reply.



Later this pm :

Untill I receive an answer from the firewall's vendor, I installed the update proposed by PSI (KB973552), as I read that other persons did it already, however Win7 doesn't figure in the supported systems.
I made a new scan : again 100% secure !!!
The patched programs show now the C2008 9.0.30729.4148 twice (x86 and x64).

Thanks for all the help provided.

Best regards,
Was this reply relevant?
+0
-0
Katipo RE: no newer version available for Visual C
Member 6th Aug, 2010 14:21
Score: 0
Posts: 1
User Since: 13th Jun 2010
System Score: N/A
Location: DE
on 29th Jul, 2010 20:51, jeepee999 wrote:
I get the message that Microsoft Visual C is unsafe.
I am using win7 64bit.
When I click the link for a solution I get a this link :

http://www.microsoft.com/downloads/details.aspx?fa...

Which was published 28-07-2009, a year ago!
That seems strange to me.
I did not download it I assume this is a mistake.

Am I right?

JP


_______________________

same as me.

Was this reply relevant?
+0
-0
taffy078 RE: no newer version available for Visual C
Contributor 7th Aug, 2010 09:41
Score: 408
Posts: 1,320
User Since: 26th Feb 2009
System Score: 100%
Location: UK
I cringed when I read this & the other threads on the C++ problems as I knew I'd be updating my laptop today - not used for a few days.

I got off to a bad start - the page this link points to is no longer available:
http://www.microsoft.com/downloads/details.aspx?Fa...

Then I found this link** somewhere in the threads:
http://www.microsoft.com/downloads/details.aspx?fa...

I went ahead and selected the x64 and had no problems until the choice of Repair/Uninstall. I chose Repair, everything went well and a scan showed 100%.

I didn't notice the date of that article** until I read Katipo's post. I've put that down to Microsoft's idiosyncracies.

So for me, what Secunia has done has worked fine. Thank you for a painless C++ update - yippee!

--
taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?
+1
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability