Full Disclosure mailing list archives

Hi @ll,

this post is a continuation of
<https://seclists.org/fulldisclosure/2023/Oct/17> and
<https://seclists.org/fulldisclosure/2021/Oct/17>

With the release of .NET Framework 4.8 in April 2019, Microsoft updated
the following paragraph of the MSDN article "What's new in .NET Framework"
<https://msdn.microsoft.com/en-us/library/ms171868.aspx>

| Starting with .NET Framework 4.5, the clrcompression.dll assembly uses
| Zlib <https://zlib.net/>, a native external library for data compression,
| in order to provide an implementation for the deflate algorithm.
| The .NET Framework 4.8 version of clrcompression.dll is updated to use
| ZLib Version 1.2.11, which includes several key improvements and fixes.

According to the MSKB articles
<https://support.microsoft.com/en-us/kb/4486081>,
<https://support.microsoft.com/en-us/kb/4486105>,
<https://support.microsoft.com/en-us/kb/4486129> and
<https://support.microsoft.com/en-us/kb/4486153>, .NET Framework 4.8 is
available for Windows 8.1, Windows Server 2012, Windows Server 2012 R2,
Windows 10 version 1607 and above, and Windows Server 2016 and above.

According to the zlib change log <https://zlib.net/ChangeLog.txt>,
1.2.11 (January 15, 2017) was the current version then; later versions are
- 1.2.12 (March 27, 2022),
- 1.2.13 (October 13, 2022),
- 1.3    (August 18, 2023),
- 1.3.1  (January 22, 2024).

Stupid^WSilly question: has Microsoft updated the zlib shipped with
.NET Framework 4.8, either through cumulative updates or the release of
.NET Framework 4.8.1 in August 2022 (see MSKB article
https://support.microsoft.com/en-us/kb/5011048)?

MOST OBVIOUS ANSWER: NO, OF COURSE NOT!

.NET Framework 4.8.1 shipped with clrcompression.dll 4.8.9037.0, built
June 24, 2022, 3 months after release of zlib 1.2.12; Microsoft continued
to ship the SUPERCEDED zlib 1.2.11 until April 9, 2024, i.e. more than
SEVEN years after its release!

Several of the MSKB articles for the April 2024 cumulative updates for
.NET Framework 4.x show the following telltale paragraph:

| .NET Framework Defense in Depth Vulnerability
| This security update addresses an issue where version of the
| OSS zlib library is out of date.

stay tuned, and far away from crap built with ROTTEN components
Stefan Kanthak

PS: to preserve your mental health, don't run the following commands:

DIR /S "%SystemDrive%\clrcompression.dll"
FINDSTR.exe /S "flate.1\.[1-9]\.[1-9]" "%SystemDrive%\clrcompression.dll"

PPS: <https://download.microsoft.com/download/0/4/f/04f98ada-465c-4b46-8014-891619317b52/5036894.csv>

| "curl.exe","8.4.0.0","05-Apr-2024","16:10","588,848"
| "curl.exe","8.4.0.0","05-Apr-2024","16:10","471,600"
| "curl.exe","8.4.0.0","05-Apr-2024","16:10","531,912"
| "curl.exe","8.4.0.0","05-Apr-2024","17:49","601,544"
| "curl.exe","8.4.0.0","05-Apr-2024","17:48","531,912"

    cURL 8.4.0 is more than six months old, and has 5 CVEs, all
    fixed since cURL 8.6.0, released January 31, 2024
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• Defense in depth -- the Microsoft way (part 87): shipping more rotten software to billions of unsuspecting customers Stefan Kanthak (Apr 24)