Hi, Microsoft distributes (security critical) updates for Windows components and Microsoft products installed on user systems via "Windows/Microsoft Update" and installs them automatically.
Except in some VERY common cases... For the incorporation of redistributable components like the MSVCRT, MFC, ATL etc. in MSI installer packages of other (including 3rd party) products Microsoft provides so-called "MSI merge modules" *.MSM with Visual Studio. This is primarily a convenience for the packager/developer and the user/consumer, since both dont have to handle the (typically larger) standalone "redistributable packages" of the included components from their "main" installer package. The files included in these MSI merge modules are installed in the same locations as their standalone "redistributable packages" do. But... Windows Update Agent doesnt detect vulnerable/outdated files installed via MSI merge modules: some of the meta-data which is written by the standalone "redistributable packages" is not written by the MSI merge modules and lets Windows Update Agent fail to detect them properly. The result: all Windows installations where * Microsoft products like Microsoft Security Essentials, Windows Defender, Forefront Security, Microsoft Office <anything>, Microsoft Sharepoint <anything>, Microsoft SQL Server <anything>, .NET Framework 2.0/3.0/3.5, which come with outdated and vulnerable MSI merge modules, are installed, * 3rd party products like Adobe Reader/Acrobat and numerous others of numerous other developers/companies, which come with outdated and vulnerable MSI merge modules, are installed, * the current version of the standalone "redistributable packages" of the resp. MSCVRT, MFC, ATL etc. are NOT installed, are (potentially) VULNERABLE! stay tuned Stefan Kanthak PS: if you want to check your own Windows installations: get FILEVER.EXE from <http://www.microsoft.com/en-us/download/details.aspx?id=15326> (the download link in <http://support.microsoft.com/kb/913111> points to an older version), start a command prompt and run the following commands: FILEVER.EXE /S %SystemRoot%\WinSxS\MSVC*.DLL FILEVER.EXE /S %SystemRoot%\WinSxS\MFC*.DLL FILEVER.EXE /S %SystemRoot%\WinSxS\ATL*.DLL FILEVER.EXE /S %SystemRoot%\WinSxS\MSDIA*.DLL FILEVER.EXE /S %SystemRoot%\WinSxS\VCOMP*.DLL FILEVER.EXE %SystemRoot%\System32\MSVC*.DLL FILEVER.EXE %SystemRoot%\System32\MFC*.DLL FILEVER.EXE %SystemRoot%\System32\ATL*.DLL FILEVER.EXE %SystemRoot%\System32\MSDIA*.DLL FILEVER.EXE %SystemRoot%\System32\VCOMP*.DLL FILEVER.EXE %SystemRoot%\SysNative\MSVC*.DLL (x64 only) FILEVER.EXE %SystemRoot%\SysNative\MFC*.DLL ... FILEVER.EXE %SystemRoot%\SysNative\ATL*.DLL ... FILEVER.EXE %SystemRoot%\SysNative\MSDIA*.DLL ... FILEVER.EXE %SystemRoot%\SysNative\VCOMP*.DLL ... If the output shows DLLs with version numbers less than listed in <http://support.microsoft.com/kb/2565063> <http://support.microsoft.com/kb/2467173> <http://support.microsoft.com/kb/2538243> <http://support.microsoft.com/kb/2538242> <http://support.microsoft.com/kb/2465373> you should fetch the resp. "redistributable packages" and install them (as stated in the FAQ section of <http://technet.microsoft.com/security/bulletin/ms11-025>) Don't forget to file file bug reports against any product that installed the outdated DLLs. PPS: if you find any of these DLLs in %ProgramFiles%, %ProgramFiles(x86)% or other locations: remove them! Then ask the developers/vendors who installed them there to take a REALLY THOROUGH look at <http://support.microsoft.com/kb/835322>! And don't forget to file file bug reports against any product that installed OUTDATED DLLs there! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/