Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: MS Visual C++ 2008 Redistributable marked insecure after update

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
Microsoft
And, this specific program:
Microsoft Visual C++ 2008 Redistributable Package

This thread has been marked as locked.
efgerman MS Visual C++ 2008 Redistributable marked insecure after update
Member 27th May, 2011 22:33
Ranking: -4
Posts: 10
User Since: 7th May, 2008
System Score: 100%
Location: BR
Last edited on 27th May, 2011 22:36

Greetings All,

My LibreOffice v3.3.2 (Win x86) makes use of Microsoft Visual C++ 2008 Redistributable Package (v9.0.30729.17) that's installed previous to LibreOffice itself. PSI doesn't complain on any of its files.

Soon after installation, Windows Automatic Updater spots Microsoft Visual C++ 2008 Redistributable v9.0.30729.17 as being insecure and recommends installation of the package below (v9.0.30729.4148), supposedly to correct ATL issues. After the update, PSI report C++ 2008 libraries as insecure. This is a small nuisance difficult do get rid off. :(

<quote>
Size: 706 KB

A security issue has been identified that could allow an attacker to compromise your Windows-based system with Microsoft Visual C++ 2008 Redistributable Package and gain complete control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.

More information for this update can be found at http://go.microsoft.com/fwlink/?LinkID=158264
</quote>

Running:
Operating System
MS Windows XP Professional 32-bit SP3
CPU
Intel Pentium 4
RAM
1.0GB DDR @ 132MHz (2-3-3-6)
Motherboard
TOSHIBA Portable PC (uFC-PGA Socket)
Graphics
Toshiba Internal 1024x768 Panel (1024x768@60Hz)
Hard Drives
156GB SAMSUNG SAMSUNG HM160HC (PATA)
Optical Drives
TOSHIBA DVD-ROM SD-R2412
Audio
SoundMAX Integrated Digital Audio

I don't have plans to update until PSI changes its mind, as long LibreOffice keeps working.

Thanks in advance for your insights.


--
Kind regards,
Euler

ddmarshall RE: MS Visual C++ 2008 Redistributable marked insecure after update
Dedicated Contributor 27th May, 2011 23:00
Score: 1210
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
The latest version of the redistributable can be downloaded from here:
http://www.microsoft.com/downloads/en/details.aspx...

In your case, you need to download and run vcredist_x86.exe.

PSI has had a longstanding problem with Windows Update and the Visual C++ Redistributable. The solution has been to download the complete package from the Download Center.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
efgerman RE: MS Visual C++ 2008 Redistributable marked insecure after update
Member 29th May, 2011 17:30
Score: -4
Posts: 10
User Since: 7th May 2008
System Score: 100%
Location: BR
Been there, done that. Once installed PSI complains. So, my question still: which one (Secunia or Microsoft) holds the truth?

--
Kind regards,
Euler
Was this reply relevant?
+0
-0
ddmarshall RE: MS Visual C++ 2008 Redistributable marked insecure after update
Dedicated Contributor 29th May, 2011 19:54
Score: 1210
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 29th May, 2011 20:30
Really? Then your version number should be 9.0.30729.5570.

Let's see your troubleshoot report.


With regards to the ATL update, they are both right in their way. The update from Windows Update makes the computer it runs on secure. But, if the redistributable is actually being redistributed from that computer, the whole package should be downloaded from the Download Center.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+0
-0
efgerman RE: MS Visual C++ 2008 Redistributable marked insecure after update
Member 31st May, 2011 23:04
Score: -4
Posts: 10
User Since: 7th May 2008
System Score: 100%
Location: BR
No, you got it wrong. What I said is that AFTER updating (either via Windows Update and vcredist.exe download), PSI reports computer as insecure. I did it twice in two different computers.

So, again, the question is: which one holds the truth?

--
Kind regards,
Euler
Was this reply relevant?
+0
-1
Maurice Joyce RE: MS Visual C++ 2008 Redistributable marked insecure after update
Handling Contributor 1st Jun, 2011 01:31
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
What @ddmarshall wants is the PSI report.


FINDING A FILE PATH

From the DASHBOARD page click on SCAN RESULTS.

1. This will list all your programmes with a + to the left of each one.
2. Click the + sign next to the item that U want help with.
3. This will reveal the path under DETECTED INSTANCES.
4. Highlight it then copy (CTRL+C) then paste (CTRL+V)) that path back to the Forum.
OR THIS METHOD WHICH GIVES A HELPER MORE INFORMATION
4a Below DETECTED INSTANCES you will see You can double click this row for additional information & options>double click it>a box will appear>click TROUBLESHOOT REPORT>Now highlight the information revealed from START to END & copy it (CTRL+C) then post it to the Forum (CTRL+V)

The end result U post to the Forum should look like this:
---START---

Program Name:
Apple iTunes 10.x

Security State:
Insecure

Download Link:
http://appldnld.apple.com/iTunes10/061-9638.201103...

Instances Found:
C:\Program Files\iTunes\iTunes.exe, version: 10.1.2.17

Last System Scan (localtime):
3. Mar 2011, 16:47

Operating System:
Microsoft Windows XP Home Edition, Service Pack 3

---END---
Update 9 09:33 13/03/2011

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0

efgerman

RE: MS Visual C++ 2008 Redistributable marked insecure after update
[+]
This reply has been minimised due to a negative Relevancy Score.
Maurice Joyce RE: MS Visual C++ 2008 Redistributable marked insecure after update
Handling Contributor 1st Jun, 2011 18:03
Score: 11744
Posts: 9,002
User Since: 4th Jan 2009
System Score: N/A
Location: UK
U are rude. Did U not bother to READ what is required when creating a thread? Look at the bottom of the create thread & U will see this:


Before creating your thread:
Please make sure to include as many details as possible. The more details, the easier it will be for other users to assist you.

If your thread relates to a problem with patching a program, please be sure to include and verify:
* The path to where the program was detected on your PC
* Description of what you've done to patch the program
* That you have rescanned your PC after applying the patch

Perhaps @ddmarshall will return to help U now U have finished sighing & started reading. I have no intention of chipping in.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-2
ddmarshall RE: MS Visual C++ 2008 Redistributable marked insecure after update
Dedicated Contributor 1st Jun, 2011 21:14
Score: 1210
Posts: 961
User Since: 8th Nov 2008
System Score: 98%
Location: UK
You need KB2467174 MFC Security Update to be secure. This should update msdia90.dll to version 9.0.30729.5570.

PSI may be interpreting version 9.0.30729.1 as part of Visual Studio 2008 Express Edition. Microsoft never issue updates for this so PSI does not attempt to patch it.

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+3
-0
efgerman RE: MS Visual C++ 2008 Redistributable marked insecure after update
Member 2nd Jun, 2011 14:48
Score: -4
Posts: 10
User Since: 7th May 2008
System Score: 100%
Location: BR
on 1st Jun, 2011 21:14, ddmarshall wrote:
You need KB2467174 MFC Security Update to be secure. This should update msdia90.dll to version 9.0.30729.5570.

PSI may be interpreting version 9.0.30729.1 as part of Visual Studio 2008 Express Edition. Microsoft never issue updates for this so PSI does not attempt to patch it.

Hmm, this makes sense as I had VS2008 (parts) installed here. Anyway, what bugs me is that MS recommended patch (9.0.30729.4148) to the actual (9.0.30729.17) was considered unsafe. I'm pretty sure I installed your recommend full package (v9.0.30729.5570) with same results (unsafe by PSI) so I'm willing to give it a second chance uninstalling VCredist 9.0.30729.17 and doing a fresh install of VCredist 9.0.30729.5570 (full package), that is, as soon as I find a spare time. Thanks.

--
Kind regards,
Euler
Was this reply relevant?
+1
-0
sizzel RE: MS Visual C++ 2008 Redistributable marked insecure after update
Member 3rd Jun, 2011 01:47
Score: 0
Posts: 1
User Since: 3rd Jun 2011
System Score: N/A
Location: US
Very helpful post thanks for taking the time to help us. This has been driving me crazy for months.

Sincerely,
Mark

--
http://www.sizzlewithus.com
http://www.amybrett.com
http://www.originalsmartpop.com
Was this reply relevant?
+0
-0
efgerman RE: MS Visual C++ 2008 Redistributable marked insecure after update
Member 3rd Jun, 2011 04:25
Score: -4
Posts: 10
User Since: 7th May 2008
System Score: 100%
Location: BR
@ddmarshall

Just did a fresh VCredist_x86 install and all looks fine. Windows Update didn't try to offer me a patch and PSI scan result a 100% secure system. This is VC actual state:

---START---

Program Name:
Microsoft Visual C++ 2008 Redistributable Package

Security State:
Patched

Download Link:


Instances Found:
C:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll, version: 9.0.30729.5570

Last System Scan (localtime):
2. Jun 2011, 23:12

Operating System:
Microsoft Windows XP Professional, XP

---END---

Strangely, I had parts of other VC libraries from a Lua distribution that didn't uninstall correctly. Firstly I removed all VC libraries from my system and then installed 9.0.30729.5570 package. I did this before but somewhat a leftover jammed the process. Hope it doesn't change after reboot. ;)

Thanks again for help and info.


--
Kind regards,
Euler
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer