'[FD] Defense in depth -- the Microsoft way (part 86): shipping rotten software to billions of unsusp'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] Defense in depth -- the Microsoft way (part 86): shipping rotten software to billions of unsusp
From:       "Stefan Kanthak" <stefan.kanthak () nexgo ! de>
Date:       2023-10-11 22:58:16
Message-ID: 3844C59D3F7C4D93AED62EC55BCDB024 () H270
[Download RAW message or body]

Hi @ll,

the 7 cURL versions after 8.0.1, released March 20, 2023,
<https://curl.se/docs/releases.html>, fix the following 3
vulnerabilities <https://curl.se/docs/vulnerabilities.html>:
CVE-2023-38039 <https://curl.se/docs/CVE-2023-38039.html>
CVE-2023-38545 <https://curl.se/docs/CVE-2023-38545.html>
CVE-2023-38546 <https://curl.se/docs/CVE-2023-38546.html>

Once again (really: for several months), in their VERY finite wisdom
(really: almost INFINITE sloppy- and lazyness), Microsoft but dares to
ship rotten and vulnerable software (i.e. cURL.exe 8.0.1) to billions
of unsuspecting customers, i.e. they fail MISERABLY in following their
own mantra "Keep your (build) systems patched".

The MSKB article <https://support.microsoft.com/en-us/kb/5031354>
titled "October 10, 2023-KB5031354 (OS Build 22621.2428)" provides
the following "file information" for Windows 11 22H2
<https://download.microsoft.com/download/5/4/4/544a5341-96a2-491f-9563-bf260206564f/5031354.csv>:

| "curl.exe","8.0.1.0","01-Oct-2023","02:06","559,616"
...
| "curl.exe","8.0.1.0","01-Oct-2023","02:06","445,952"
...
| "curl.exe","8.0.1.0","01-Oct-2023","02:06","498,688"
...
| "curl.exe","8.0.1.0","01-Oct-2023","02:24","566,272"
...
| "curl.exe","8.0.1.0","01-Oct-2023","02:24","498,688"

The MSKB article <https://support.microsoft.com/en-us/kb/5031356>
titled "October 10, 2023-KB5031356 (OS Builds 19044.3570 and 19045.3570)"
provides the following "file information" for Windows 10 22H2
<https://download.microsoft.com/download/e/9/9/e994fe4f-a5fe-49ae-ac4d-ce139efd147d/5031356.csv>:

| "curl.exe","8.0.1.0","30-Sep-2023","21:45","559,616"
...
| "curl.exe","8.0.1.0","30-Sep-2023","21:45","445,952"
...
| "curl.exe","8.0.1.0","30-Sep-2023","21:45","498,688"
...
| "curl.exe","8.0.1.0","30-Sep-2023","23:39","566,272"
...
| "curl.exe","8.0.1.0","30-Sep-2023","23:39","498,688"
...
| "curl.exe","8.0.1.0","30-Sep-2023","21:21","498,688"

The MSKB article <https://support.microsoft.com/en-us/kb/5031358>
titled "October 10, 2023-KB5031358 (OS Build 22000.2538)" provides
the following "file information" for Windows 11 21H2
<https://download.microsoft.com/download/0/1/7/01776958-e4d8-4015-82c9-72539ce3cbcc/5031358.csv>:

| "curl.exe","8.0.1.0","30-Sep-2023","20:15","559,616"
...
| "curl.exe","8.0.1.0","30-Sep-2023","20:15","445,952"
...
| "curl.exe","8.0.1.0","30-Sep-2023","20:15","498,688"
...
| "curl.exe","8.0.1.0","30-Sep-2023","22:23","566,272"
...
| "curl.exe","8.0.1.0","30-Sep-2023","22:23","498,688"

The MSKB article <https://support.microsoft.com/en-us/kb/5031361>
titled "October 10, 2023-KB5031361 (OS Build 17763.4974)" provides the
following "file information" for Windows 10 1809, Windows Server 1809,
and Windows Server 2019
<https://download.microsoft.com/download/2/8/9/289b2614-512f-4284-a36d-b1e7fee365bd/5031361.csv>:

| "curl.exe","8.0.1.0","29-Mar-2023","21:55","559,616"
...
| "curl.exe","8.0.1.0","29-Mar-2023","22:28","445,952"
...
| "curl.exe","8.0.1.0","29-Mar-2023","22:13","498,688"
...
| "curl.exe","8.0.1.0","29-Mar-2023","22:36","566,272"
...
| "curl.exe","8.0.1.0","29-Mar-2023","22:13","498,688"
...
| "curl.exe","8.0.1.0","30-Mar-2023","05:13","498,688"

stay tuned, and far away from rotten software oozing out of Redmond
Stefan Kanthak
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread] 