Forum Thread: Insecurity in Microsoft Visual studio... even after patching

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
ruirib_m750 Insecurity in Microsoft Visual studio... even after patching
Member 18th Aug, 2009 02:16
Ranking: 0
Posts: 10
User Since: 15th Feb, 2009
System Score: N/A
Location: PT
Hi,

Running PSI v.1.5.00 on a Windows XP SP3 computer. All Windows Updates are installed (checked this several times).
Today PSI informed me that Microsoft Visual Studio 2005, version 8.0.50727.762 is insecure and the file indicated in the warning is devenv.exe. As I said, all Windows updates were installed and even so, I downloaded the patch recommended by Secunia PSI. However, even after downloading and installing the patch, PSI still insists Visual Studio 2005 is insecure.
Something is definitely wrong here. Is it PSI or is MS to blame here?

Thanks

btyler2087340 RE: Insecurity in Microsoft Visual studio... even after patching
Member 18th Aug, 2009 15:00
Score: 0
Posts: 1
User Since: 18th Aug 2009
System Score: N/A
Location: N/A
Last edited on 18th Aug, 2009 15:01
I believe that PSI is at fault.

The referenced download link (http://www.microsoft.com/downloads/details.aspx?Fa...) refers to the "Visual Studio 2005 Service Pack 1 ATL Security Update". However, KB971090 (for MS09-035) does not list devenv.exe as an updated component of MS09-035.

I believe that 8.0.50727.762 is the correct version for devenv.exe and that this is a false positive.
Was this reply relevant?
+0
-0
ruirib_m750 RE: Insecurity in Microsoft Visual studio... even after patching
Member 18th Aug, 2009 15:15
Score: 0
Posts: 10
User Since: 15th Feb 2009
System Score: N/A
Location: PT
That was what I thought, so I was expecting some confirmation by Secunia.

Thanks for your reply.
Was this reply relevant?
+0
-0
swstein RE: Insecurity in Microsoft Visual studio... even after patching
Member 18th Aug, 2009 16:51
Score: 0
Posts: 2
User Since: 3rd Jul 2009
System Score: N/A
Location: N/A
Same problem here as well.

Secunia reports Visual Studio as insecure in devenv.exe.

Visual Studio is all patched up.
Was this reply relevant?
+0
-0
cvalde RE: Insecurity in Microsoft Visual studio... even after patching
Member 19th Aug, 2009 07:46
Score: 11
Posts: 22
User Since: 30th Jul 2009
System Score: N/A
Location: CL
I think it's a bug in PSI.
Microsoft Baseline Security Analyzer 2.1 says that everything is patched in my XP SP3 (and I have Visual Studio 2005 and 2008 installed). I applied (as always) the patches manually so I'm sure all the things MS offered are installed.
The Windows Update site doesn't show any security update pending either.
Also, even two days after the last MS bulletin was published, PSI wasn't detecting Visual Studio as problematic or patched, so I think the check was introduced after the other security bulletins had been analyzed.

PSI is offering "Visual Studio 2005 Service Pack 1 ATL Security Update" that's exactly the patch file I have and that I applied successfully. AFAIK, the main executable devenv.exe wasn't touched by the patch, so its version is not valid to decide whether VS 2005 is secure or not.
Was this reply relevant?
+0
-0
Slamgeden RE: Insecurity in Microsoft Visual studio... even after patching
Member 20th Aug, 2009 13:01
Score: 0
Posts: 181
User Since: 17th Jul 2009
System Score: N/A
Location: N/A
Works here.
Maybe they fixed it?

--
Assorted Fnords.
Was this reply relevant?
+0
-0
ruirib_m750 RE: Insecurity in Microsoft Visual studio... even after patching
Member 20th Aug, 2009 14:15
Score: 0
Posts: 10
User Since: 15th Feb 2009
System Score: N/A
Location: PT
Last edited on 20th Aug, 2009 14:15
Seems it has been fixed, indeed. A new scan resulted in no insecure programs being found.

Great :).
Was this reply relevant?
+0
-0
ruirib_m750 RE: Insecurity in Microsoft Visual studio... even after patching
Member 3rd Sep, 2009 18:35
Score: 0
Posts: 10
User Since: 15th Feb 2009
System Score: N/A
Location: PT
It has happened again. Same problem, same patch recommended to be downloaded, nothing on Windows Update to fix it.

Hard to understand the same mistake done twice!
Was this reply relevant?
+0
-0
Slamgeden RE: Insecurity in Microsoft Visual studio... even after patching
Member 4th Sep, 2009 09:54
Score: 0
Posts: 181
User Since: 17th Jul 2009
System Score: N/A
Location: N/A
This time it seems to be just you though - have you tried rebooting and rescanning?

--
Assorted Fnords.
Was this reply relevant?
+0
-0
ruirib_m750 RE: Insecurity in Microsoft Visual studio... even after patching
Member 4th Sep, 2009 11:15
Score: 0
Posts: 10
User Since: 15th Feb 2009
System Score: N/A
Location: PT
Actually no, have a look:

http://secunia.com/community/forum/thread/show/267...

Also, it happens with two different PCs. To be correct, it points out the Visual C++ redistributable package and the Microsoft XML Core Services and not exactly Visual Studio.
Again, solution suggested has been implemented and there are no Microsoft Patches that I haven't yet applied.
Was this reply relevant?
+0
-0
ruirib_m750 RE: Insecurity in Microsoft Visual studio... even after patching
Member 5th Sep, 2009 13:01
Score: 0
Posts: 10
User Since: 15th Feb 2009
System Score: N/A
Location: PT
Seems to have been fixed.

Must say these insecure programs, that then are not and then are again, this doesn't really give a positive image of PSI, which is a real shame, as it's a great, useful, app.

Hope it doesn't happen again.
Was this reply relevant?
+0
-0

This thread has been marked as locked.