Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Microsoft Visual C++ Redistributal Package

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft Visual C++ 2008 Redistributable Package

This thread has been marked as locked.
geosibley Microsoft Visual C++ Redistributal Package
Member 1st Aug, 2010 20:14
Ranking: 0
Posts: 10
User Since: 1st Aug, 2010
System Score: N/A
Location: US
Last edited on 1st Aug, 2010 20:14

A Secunia scan reported that my installation of MS Visual C++ Redistributal Pkg is insecure. I went to the MS solution site, but Windows 7 is not a supported OS listed on the site, and I have W 7.

Is this a mistake by Secunia? Should I download and install the version that Secunia recommends?

geosibley

ddmarshall RE: Microsoft Visual C++ Redistributal Package
Dedicated Contributor 1st Aug, 2010 20:29
Score: 1209
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
See this:

http://secunia.com/community/forum/thread/show/489...

and other recent threads. I wouldn't rush to do anything.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
This user no longer exists RE: Microsoft Visual C++ Redistributal Package
Member 2nd Aug, 2010 09:53
Hi,

You should definitively download and apply this patch. Choose x86 if you're on a 32-bit system, x64 for 64-bit, or IA-64 for Itanium processors.

After applying the update, rescan to see if it kicked in.
Was this reply relevant?
+0
-0
geosibley RE: Microsoft Visual C++ Redistributal Package
Member 2nd Aug, 2010 16:58
Score: 0
Posts: 10
User Since: 1st Aug 2010
System Score: N/A
Location: US
I did as you suggested, re-scanned, and all programs are listed as secure. Thank you.

It is odd that Secunia just suddenly started showing that program as insecure after many months, and MS Updates never gave it as an option.
Was this reply relevant?
+0
-0
bjm__ RE: Microsoft Visual C++ Redistributal Package
Member 2nd Aug, 2010 17:37
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 2nd Aug, 2010 17:47
Hello
as this thread has turned my head to mush...
Please ...walk me through it slowly
My Control Panel > Programs reports >
http://i.imagehost.org/view/0786/Programs_Visual_C
PSI > Patched > currently, No listing of any Visual C+
PSI > Insecure > Insecure Programs > Microsoft Visual C++ 2008 Redistributable Package 9.0.30729.1
Maurice Joyce writes >
They are listed under the heading Microsoft Visual C++ as follows:
2008 Redistributable - x649.0.30729.17
2008 Redistributable - x649.0.30729.4148
The details for 32 Bit are shown exactly the same minus the x64 bit. Total 4 entries.
PSI should be showing 2 entries which look alike except for the 64 Bit clearly showing on one entry. the version number for both is 9.0.30729.4148.
I have listed at Control Panel > Programs as imagehost renders (see above) x869.0.30729.1 & x869.0.30729.4148 for 32Bit
So, will PSI after update install/scan populate Visual C+ to Patched, as currently I have no listing for Patched Visual C+
So, after update / scan PSI will now be showing 2 entries which look alike except for the 64 Bit clearly showing on one entry. the version number for both is 9.0.30729.4148.
I'm confused....I follow that this may be M$ Update issue and that now PSI is reporting a previous unreported issue - which is great !
But, PSI on my box - never listed any Visual C+ with Patched ?
So, after update PSI Patched will render Visual C+ listing > 2 entries which look alike except for the 64 Bit clearly showing on one entry. the version number for both is 9.0.30729.4148. ....I will have two Patched entries x64 & x86 even though my OS is 32 Bit ~ Even though PSI never listed any Visual C+ with my Patched Programs. Is the absence of any PSI Patched Visual C+ the PSI non-reporting that is now fixed ?
Help
bjm-
Was this reply relevant?
+1
-0
Maurice Joyce RE: Microsoft Visual C++ Redistributal Package
Handling Contributor 2nd Aug, 2010 18:22
Score: 11736
Posts: 8,995
User Since: 4th Jan 2009
System Score: N/A
Location: UK
@bjm
You are clearly running a 32 bit system.

The screenshot image look good & U should be secure.

U should have one entry in PSI Secure tab:

Microsoft Visual C++ Redistribuable 9.0.30729.4148

Does that help?


--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
bjm__ RE: Microsoft Visual C++ Redistributal Package
Member 2nd Aug, 2010 19:49
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Good day Maurice Joyce
Nice to visit with you..
Hope this contact finds you and yours well....
re > The screenshot image look good & U should be secure.
Well, Ummm... "U should be secure" is why my head is mush... :-)
I have not installed Visual C++ update as yet...(wanted to wait for M$ out of band Security Update download/install/reboot)
Anyway - as I have not yet installed Visual C++ update.
PSI reports one entry in PSI Insecure tab: Insecure Programs > Microsoft Visual C++ 2008 Redistributable Package 9.0.30729.1
-----------------------------------------------
So, even though you write:
Your screenshot image look good & U should be secure.
U should have one entry in PSI Secure tab:
Microsoft Visual C++ Redistribuable 9.0.30729.4148
Ummm...that's not what my PSI reports ?
PSI does not list Microsoft Visual C++ Redistribuable 9.0.30729.4148 in PSI Secure tab..
PSI does list one entry in PSI Insecure tab: Insecure Programs > Microsoft Visual C++ 2008 Redistributable Package 9.0.30729.1

Should I install Visual C++ update and see what happens ?
(I pulled and saved to Desktop > vcredist_x86, ver 9.0.30729.4148, 4.27MB)
PSI has never listed any Visual C++ in my Patched Programs listing...
So, I'm either "secure" now without Visual C++ update as you offer or I need to install Visual C++ update / scan or IDK

Cheers
bjm-
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft Visual C++ Redistributal Package
Handling Contributor 2nd Aug, 2010 19:52
Score: 11736
Posts: 8,995
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Good idea + the Microsoft update is available now to fix the other problem U mention.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
bjm__ RE: Microsoft Visual C++ Redistributal Package
Member 2nd Aug, 2010 20:22
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 2nd Aug, 2010 20:33
Hello Maurice
M$ out of band installed ;-)
Microsoft Visual C++ update installed ;-))
Patched Programs
Microsoft Visual C++ 2008 Redistributable Package 9.0.30729.4148
http://a.imagehost.org/view/0631/Visual_C_5_entrie...
(had four - now have 5)
Q: Should I retain all 5 (five) Microsoft Visual C++
Should I retain Microsoft Visual C++ 2005

bjm-

Interesting > the Date Modified did not change:msdia90 is still 7/12/2009
Open Folder > Installation Path:C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll
Version Detected:9.0.30729.4148
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft Visual C++ Redistributal Package
Handling Contributor 2nd Aug, 2010 20:53
Score: 11736
Posts: 8,995
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I would - they are doing no harm - I have also got 2005 because I need it for legacy issues.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
bjm__ RE: Microsoft Visual C++ Redistributal Package
Member 2nd Aug, 2010 21:23
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Last edited on 2nd Aug, 2010 21:27
Maurice
as to unchanged Date Modified
Interesting > the Date Modified did not change:msdia90 is still 7/12/2009
Open Folder > Installation Path:C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll
Version Detected:9.0.30729.4148

Comment as to why Date Modified did not change ?....even if Update is from 09, shouldn't this update install have been reflected by Date Modified or since ver didn't change this added install was not a Date Modified type of event ?

?
bjm-

P.S. > Thanks for helping me with clearing away some of my mush ;-D
Was this reply relevant?
+0
-0
Maurice Joyce RE: Microsoft Visual C++ Redistributal Package
Handling Contributor 2nd Aug, 2010 22:17
Score: 11736
Posts: 8,995
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Last edited on 2nd Aug, 2010 22:20
Your file & date match mine which of course is the date of issue by MS.

This is a new rule created by Secunia therefore I would expect it to be something like that.

I updated on the 22/12/2009 so I was aware the MS issue was on or before that date.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
bjm__ RE: Microsoft Visual C++ Redistributal Package
Member 2nd Aug, 2010 23:43
Score: 64
Posts: 374
User Since: 9th Mar 2009
System Score: 100%
Location: US
Very Interesting...
As you can see from my image >
http://a.imagehost.org/view/0631/Visual_C_5_entrie...
I had a Visual C++ 2008 ALT Update 10/05/09 9.0.30729.4148
So, thanks to Secunia > M.Hansen ~ Quote:
We updated our detection rules for "Microsoft Visual C++ 2008 Redistbutable Package" yesterday, since we discovered that it wasn't detected properly.
Now, I have the rest of the story. So to speak...
Have no idea what Visual C++ does for me...but, if PSI is Happy - I'm Happy !

Thanks Secunia
Cheers
bjm-

Was this reply relevant?
+0
-0
jesbion RE: Microsoft Visual C++ Redistributal Package
Member 2nd Aug, 2010 23:54
Score: -5
Posts: 22
User Since: 14th May 2010
System Score: N/A
Location: US
Thanks, Peterson! I had the same question, and didn't know which version to download. (there are no explanations as to which versions to apply) Thanks again! Now, if everything goes kosher, I won't need any more answers!
Was this reply relevant?
+0
-0
paranoiddelusions RE: Microsoft Visual C++ Redistributal Package
Member 6th Aug, 2010 19:14
Score: 2
Posts: 14
User Since: 4th Apr 2010
System Score: N/A
Location: N/A
Hi, Emil, I just recv'd the same alert as the initial poster*
Unfortunately, your upbeat reply to him left me twisting in the wind -
"After applying the update, rescan to see if it kicked in." kinda didn't account for what to do if the install doesn't "kick in."

I went to the dreaded (MSFT) "solution" page (aka, byzantine rabbit warren)
http://www.microsoft.com/downloads/details.aspx?fa...
downloaded what should have been the appropriate option for VistaOS 64-bit:
vcredist_x64.exe
clicked install, watched it apparently install
Secunia still reports the insecurity exists after a second scan.

I checked the path -
"C:\Program Files (x86)\Common Files\microsoft shared\VC"
and noticed two DLLs
msdia80.dll AND msdia90.dll
and was similarly confused that there was no change to date modified, date created or date last saved.

I am additionally confused in that this security issue is dated 7/28/2009 yet Secunia is only now alerting us. My Belarc System Management scan shows no red flags in the KB section, doesn't even list KB973552 (which I presume it would do if it were something my system needs)
FWIW, I've allowed every bloody one of MSFT's neverending series of security patches/upgrades/plugs/revisions/versions to install since this PC was put into service.

Can you advise what the next next step should be (other than buying a MAC) since Secunia is essentially telling me the patch didn't "kick in"? Many thanks.

==============

* This installation of Microsoft Visual C++ 2008 Redistributable Package is insecure and potentially exposes your system to security threats!
Secunia strongly recommends that you update this program by installing the update that is provided by the vendor of this program.
Installation Path
C:\Program Files (x86)\Common Files\microsoft shared\VC\msdia90.dll
==============
Was this reply relevant?
+0
-0
Anthony Wells RE: Microsoft Visual C++ Redistributal Package
Expert Contributor 6th Aug, 2010 19:34
Score: 2437
Posts: 3,332
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

@paranoiddelusions ,

Secunia do not work on the PSI at weekends , so Emil is not back until Monday .

This parallel thread contains a huge amount of juicy technical detail , especially from @ddmarshall ; may be of some help to your quest :-

http://secunia.com/community/forum/thread/show/489...

Sorry I cannot contribute .

Take care

Antony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
paranoiddelusions RE: Microsoft Visual C++ Redistributal Package
Member 8th Aug, 2010 14:16
Score: 2
Posts: 14
User Since: 4th Apr 2010
System Score: N/A
Location: N/A
@Antony

Thanks for the pointer to the other thread, Antony. From that thread, it seems Secunia's generating a possible false positive due to MSFT's own jumble of versions, dll's and detritus left by their typical lack of clarity on what, how and whether to remove, replace, repair or uninstall software we may or may not even use.

With 3 major programs showing unresolved insecurity issues (Adobe Flash, Apple Quicktime and the infamously sieve-like IE8) and with the cretins at Adobe pandering to advertisers instead of creating a simplified settings manager that gives USERS ultimate power to block crap, I feel like a sitting duck most of the time. I don't personally do C++, and have no idea whether anything else on my system relies on that redistributable, so despite the temptation to just delete the #&*@$% dll's, I'll bide my time.


Was this reply relevant?
+0
-0
This user no longer exists RE: Microsoft Visual C++ Redistributal Package
Member 9th Aug, 2010 08:57
Hi,

When patches don't "Kick in" concerning Microsoft products, it's always best to reboot. Some patches are designed to only "kick in" after a successfull reboot.
Could you please try rebooting and rescanning? If you are still shown as insecure at this point, try reapplying the patch and repeating.

hope this helps.
Was this reply relevant?
+0
-0
paranoiddelusions RE: Microsoft Visual C++ Redistributal Package
Member 9th Aug, 2010 23:48
Score: 2
Posts: 14
User Since: 4th Apr 2010
System Score: N/A
Location: N/A
@Emil
As luck would have it, I am familiar with the process of rebooting after a msft download/install to help "kick in" the suckers. However, several reboots and a swift kick to the tower's nether regions later (as well as another download/install attempt... using a fresh download as the original might have been corrupted by a stray alpha particle) still leaves me with the same two aged .dlls and the same insecure warning status on Secunia's Inspector window.
Was this reply relevant?
+0
-0
This user no longer exists RE: Microsoft Visual C++ Redistributal Package
Member 10th Aug, 2010 09:21
Hi paranoiddellusions,

Have you tried installing the patch I linked to earlier in this thread? If you experience file corruption when fetching this download, I suggest you clear your temporary internet files, or alternatively try a download manager or another browser.

hope this helps.


Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability