Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Microsoft Visual C++ 2005 Redistributable Package (x86)

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
RichardPrice Microsoft Visual C++ 2005 Redistributable Package (x86)
Member 11th Mar, 2011 15:14
Ranking: 1
Posts: 13
User Since: 27th Nov, 2008
System Score: N/A
Location: N/A
I have the same report from PSI as other posters here ("The version detected of Microsoft Visual C++ 2005 Redistributable Package (x86) was 8.0.50727.762 while the latest version including one or more security fixes is 8.0.50727.4053"), while Programs and Features shows update KB973923 (version 8.0.50727.4053) as already installed. The advice in several previous threads has been to navigate to C:\Program Files (x86)\Common Files\microsoft shared\VC where msdia80.dll and msdia90.dll should be found, and to rename the former. However, that location _only_ contains msdia80.dll, and I've searched my whole C: drive without finding msdia90.dll. Under these circumstances is renaming msdia80.dll still the right thing to do, or will that break something?

Richard

Windows 7 Home Premium 64-bit (not SP1)
IE8
Dell Intel Q6600
4GB RAM

ddmarshall RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Dedicated Contributor 11th Mar, 2011 15:37
Score: 1198
Posts: 953
User Since: 8th Nov 2008
System Score: 98%
Location: UK
KB973923 does not include a replacement for msdia80.dll but PSI is only happy if the entire redistributable is replaced. However, your system is not vulnerable.

Have you tried installing the x86 version from here: http://www.microsoft.com/downloads/en/details.aspx... ?

It is unlikely that renaming msdia80.dll will cause any problems. It is only used for diagnostics. msdia90.dll is from Visual C++ 2008.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+3
-0
Snakefangs70 RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Member 11th Mar, 2011 17:22
Score: 1
Posts: 1
User Since: 17th Jan 2011
System Score: N/A
Location: N/A
Microsoft Visual C++ 2005 Redistributable Package (x86) Is being reported as being insecure for me as well. Secunia is also reporting that I don't have Windows 7 security patch KB2479943 installed when it is installed. Go figure.
Was this reply relevant?
+1
-0
RichardPrice RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Member 11th Mar, 2011 18:08
Score: 1
Posts: 13
User Since: 27th Nov 2008
System Score: N/A
Location: N/A
on 11th Mar, 2011 15:37, ddmarshall wrote:
Have you tried installing the x86 version from here: http://www.microsoft.com/downloads/en/details.aspx... ?


I uninstalled the original version 8.0.50727.762, and this deleted the folder C:\Program Files (x86)\Common Files\microsoft shared\VC, so that would presumably have been enough to keep PSI happy. For good measure I then uninstalled the KB973923 version (8.0.50727.4053) then reinstalled from your link, choosing the x64 option since I have 64-bit Windows 7. That recreated C:\Program Files (x86)\Common Files\microsoft shared\VC (I wasn't expecting it use the (x86) folder, but never mind) containing msdia80.dll, but PSI was OK with that on a re-scan, so job done I guess - thank you.

Richard
Was this reply relevant?
+1
-0
RxDdude RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Member 12th Mar, 2011 20:27
Score: 4
Posts: 33
User Since: 20th Aug 2009
System Score: N/A
Location: US
Last edited on 12th Mar, 2011 20:27
Also, this your humble correspondent has been suffering through the VC++ 2005 problem in my XP system, with additional twist that the M$ security patch KB973923 refused to install for several months. Apparently, it went through on my last try several days ago; for, now, the KB item* appears in the Add or Remove Programs (A/RP) list as a separate line item just above the VC++ 2005 Redist Package. A/RP reports also in support info, that the R. PKg. is v8.0.56336 now, where for so long, it was showing 8.0.50727.762. No idea why it wouldn't work, nor any idea why, now, it did. But, this is merely prologue.
PSI still faults me on the msdia80.dll.
It does appear to this your humble correspondent that the source of the issue/problem/fault lies in Secunia database, and if no update to the msdia80.dll is needed beyond the v8.0.50727.762, then Secunia PSI ought NOT to declare the user's software to be Insecure on the basis of said DLL!
How does the benighted user contact the brains of Secunia to request a correction?


* The new line item in full, is:
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Size: 0.11 MB

--
R&DDude
========================================
All I really need to know in life, I learned from the
theory of relativity!
--------------------------------------------
“Everything should be completed as soon as possible.
And, not sooner.”
– attributed to Al Einstein
============================================
HP Pavilion a1020n / Win XP Pro SP3 (x86) / AMI BIOS 3.19
Intel P4 519J 3.06 GHz / 2 GB DDR2 PC-4200
140 GB free on System partition
Firefox 3.6.15 / NoScript 2.0.9.9 / M$ IE 8.0 (rarely used)
Comodo IS 2011 v5.3 / M$ Security Essentials v1.99.1103.0
============================================
Was this reply relevant?
+0
-0
ddmarshall RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Dedicated Contributor 12th Mar, 2011 21:36
Score: 1198
Posts: 953
User Since: 8th Nov 2008
System Score: 98%
Location: UK
You can try support@secunia.com but I believe Secunia think their approach is correct.

The problem seems to be that KB973923 only replaces ATL80.dll, which, in my case, disappears into the bowels of WinSxS. It is a misconception that the installation path indicated by PSI is the file with the vulnerability. It is only used to determine the version of the program installed. The vulnerability may be in another component of the program.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+1
-0
RxDdude RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Member 13th Mar, 2011 06:35
Score: 4
Posts: 33
User Since: 20th Aug 2009
System Score: N/A
Location: US
Last edited on 13th Mar, 2011 06:59
ddmarshall,

Your contributions in this thread have made this user feel considerably enlightened, and I am grateful for your clarity and obvious expertise. I (think I) follow your line of thought in the last message (quoted here), and I think I have one further aspect that I hope you can clarify for me. After digesting this quote:

on 12th Mar, 2011 21:36, ddmarshall wrote:
... The problem seems to be that KB973923 only replaces ATL80.dll, which, in my case, disappears into the bowels of WinSxS. It is a misconception that the installation path indicated by PSI is the file with the vulnerability. It is only used to determine the version of the program installed. The vulnerability may be in another component of the program.


Please, let me propose a syllogism having a three-part premise: Since, as I noted above, (1) my VC++ 2005 Redistributable Package has now been updated so that Windows' Add or Remove Programs (A/RP) utility affirms that Package v 8.0.50727.762 has been replaced with v8.0.56336, and since (2) A/RP shows that the KB973923 has been installed, achieving v8.0.50727.4053 that Secunia affirms is the fully patched version, and since you have advised (3) that msdia80.dll v8.0.50727.762 is unaffected by all patches and can remain installed without causing a vulnerability - if I understood this last correctly when reading an earlier posting in this thread - then may I suggest again that Secunia ought not to rely on this non-vulnerable file's version no. for PSI's decisions on what is/is not patched?

Again, I wish to point to the R. Pkg. itself which is fully patched to v8.0.56336 (A/RP says) - which ought to cover all its components - so, where is there any unpatched vuln?? And if there is an unpatched vuln somewhere other than in msdia80.dll, then Secunia ought to update its database to identify the true culprit. There is cognitive dissonance somewhere.

Just renaming a harmless file because this will "fool" the Secunia algorithm seems like an inelegant solution. Yet, I don't want to bother Secunia if I am "off base," and I will be grateful for your clarifying and resolving this item.

P. S. - I asserted that Package v8.0.56336 is fully patched - on the basis that 56336 looks like a later mini-version number than the vulnerable 50727 - IMHO.
Is there any problem with my assertion? - - R.

--
R&DDude
========================================
All I really need to know in life, I learned from the
theory of relativity!
--------------------------------------------
“Everything should be completed as soon as possible.
And, not sooner.”
– attributed to Al Einstein
============================================
HP Pavilion a1020n / Win XP Pro SP3 (x86) / AMI BIOS 3.19
Intel P4 519J 3.06 GHz / 2 GB DDR2 PC-4200
140 GB free on System partition
Firefox 3.6.15 / NoScript 2.0.9.9 / M$ IE 8.0 (rarely used)
Comodo IS 2011 v5.3 / M$ Security Essentials v1.99.1103.0
============================================
Was this reply relevant?
+1
-0
ddmarshall RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Dedicated Contributor 13th Mar, 2011 12:44
Score: 1198
Posts: 953
User Since: 8th Nov 2008
System Score: 98%
Location: UK
I pretty much agree with you. If you have the updates applied, you are secure from the Microsoft angle.

This was a complicated and obscure vulnerabilty that affected developers more than end users. Although the updates secured Windows, third party developers may have been required to recompile and redistribute their programs if they were using certain programming techniques.

I surmise that the reason Secunia is treating it this way is either the update cannot be detected by PSI's file searching technique or they are catering for clients developing programs who need to have the full redistributable.
This is an extract from Microsoft's security bulletin:
Why do the Microsoft Download Center update KB numbers for Visual C++ Redistributable packages differ from the SMS, SCCM, WSUS and MU update KB numbers?
The full versions of the fixed Visual C++ 2005 and 2008 redistributable packages (KB973544, KB973551, and KB973552) are listed on the Microsoft Download Center only as these are full new versions of the products. The updates listed on SMS, SCCM, WSUS, and MU (KB973923, KB9739234) are updates only for customers who have previously installed vulnerable versions of the Visual C++ redistributable packages. These updates are not the versions on the download center. Microsoft does not recommend customers redistribute any version other than the full versions that can be downloaded from the Microsoft Download Center (KB973544, KB973551, and KB973552).


The version I downloaded last week from http://www.microsoft.com/downloads/en/details.aspx... is listed as 8.0.59193 in Vista Programs and Features. That is Service Pack 1; yours may be the version without the Service Pack.



--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+2
-0
claykin RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Member 17th Mar, 2011 04:31
Score: 1
Posts: 7
User Since: 13th Nov 2010
System Score: N/A
Location: US
Last edited on 17th Mar, 2011 04:33
On my Win 7 x64 PC I chose to first uninstall the Visual C++ 2005 ATL security update then uninstalled Visual C++ 2005.

I followed up with a reinstall of

http://www.microsoft.com/downloads/en/details.aspx...

then installed

http://www.microsoft.com/downloads/en/details.aspx...

Secunia is now happy. back to 100%. Hope this helps.

Its possible that only the new ATL Security Update is required. This appears to be a full install of Visual C++ 2005 SP1 with the patch. Not sure. Try it and report back.
Was this reply relevant?
+1
-0
RxDdude RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Member 17th Mar, 2011 06:32
Score: 4
Posts: 33
User Since: 20th Aug 2009
System Score: N/A
Location: US
Thank you, dd - I think I will (try to) uninstall and reinstall with the full package. You did a beautiful job of giving me all that new, unexpected, unpredictable information on the multifarious Microsoft patches, you made "the rough places plain" (as the prophet wrote). Rather a messy setup, but, from now on, I will be aware enough to look for similar messy setups in Microsoft® security. I am anticipating trouble - this is one of several Microsoft programs/packages that Windows A/RP has been repeatedly unable to uninstall, but maybe the whatever-it-was has been fixed, now that it ultimately did accept the update. No more questions, for now, at least.


--
R&DDude
========================================
All I really need to know in life, I learned from the
theory of relativity!
--------------------------------------------
“Everything should be completed as soon as possible.
And, not sooner.”
– attributed to Al Einstein
============================================
HP Pavilion a1020n / Win XP Pro SP3 (x86) / AMI BIOS 3.19
Intel P4 519J 3.06 GHz / 2 GB DDR2 PC-4200
140 GB free on System partition
Firefox 3.6.15 / NoScript 2.0.9.9 / M$ IE 8.0 (rarely used)
Comodo IS 2011 v5.3 / M$ Security Essentials v1.99.1103.0
============================================
Was this reply relevant?
+1
-0
RxDdude RE: Microsoft Visual C++ 2005 Redistributable Package (x86)
Member 17th Mar, 2011 06:44
Score: 4
Posts: 33
User Since: 20th Aug 2009
System Score: N/A
Location: US
Claykin,

It's nice to hear from you, too. I shall follow your lead with my XP Pro x86 SP3 system. I might be better off, more stable perhaps, with the full program update. I yielded to temptation and merely renamed the msdia80.dll, and PSI now ignores it, so I am up to having only two (2) insecure programs until the next flaw in IE8.0 becomes known. It's my Viewers for Excel and Word (Office 2003) now, which rebuff all efforts using A/RP to uninstall and/or to patch. My PowerPoint 2003 Viewer did update to PPt 2007 Viewer last year, but the Excel and Word Viewers are recalcitrant. I hope to close my participation in this VC++ 2005 thread in the next few days, Lord willing. No more questions, will try to let all know if it goes well tomorrow, or, not... Best wishes!

on 17th Mar, 2011 04:31, claykin wrote:
On my Win 7 x64 PC I chose to first uninstall the Visual C++ 2005 ATL security update then uninstalled Visual C++ 2005.

I followed up with a reinstall of

http://www.microsoft.com/downloads/en/details.aspx...

then installed

http://www.microsoft.com/downloads/en/details.aspx...

Secunia is now happy. back to 100%. Hope this helps.

Its possible that only the new ATL Security Update is required. This appears to be a full install of Visual C++ 2005 SP1 with the patch. Not sure. Try it and report back.



--
R&DDude
========================================
All I really need to know in life, I learned from the
theory of relativity!
--------------------------------------------
“Everything should be completed as soon as possible.
And, not sooner.”
– attributed to Al Einstein
============================================
HP Pavilion a1020n / Win XP Pro SP3 (x86) / AMI BIOS 3.19
Intel P4 519J 3.06 GHz / 2 GB DDR2 PC-4200
140 GB free on System partition
Firefox 3.6.15 / NoScript 2.0.9.9 / M$ IE 8.0 (rarely used)
Comodo IS 2011 v5.3 / M$ Security Essentials v1.99.1103.0
============================================
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability