Addressing Visual Studio 2008 Runtime Vulnerability in ScrewDrivers Software

Owned by Andrew Parlette
Last updated: Apr 15, 2024
2 min read

Overview

This article addresses a critical vulnerability identified in the Visual Studio 2008 runtimes and its implications for various versions of the ScrewDrivers software. Due to the potential security risks, it's crucial for administrators to assess their systems and take appropriate actions to mitigate any threats.

Affected Versions of ScrewDrivers

ScrewDrivers software versions up to 7.3.1 included the Visual Studio 2008 runtimes as part of their installation package. Starting from version 7.3.1, ScrewDrivers software dropped the requirement for the Visual Studio 2008 runtimes (VC9), and from version 7.3.1 onwards, the runtime package was completely removed from the installation. This runtime was previously required for support of the legacy v6 console.

Implications

Systems with ScrewDrivers version 7.3.0 and earlier may still have the Visual Studio 2008 runtimes installed. While these runtimes are not required for the functioning of ScrewDrivers from version 7.3.1 onwards, they may remain on systems that previously installed older versions of the software. Due to the nature of shared runtime files, Tricerat does not directly remove installed third-party prerequisites.

Security Risks

Please review the main article regarding MS09-035 here: https://support.microsoft.com/en-us/topic/ms09-035-vulnerabilities-in-visual-studio-active-template-libraries-could-allow-remote-code-execution-d2564af0-4f2a-aae9-8932-0efb959871c8

The Visual Studio 2008 runtimes have been identified to contain vulnerabilities that could potentially allow remote code execution if exploited. It is crucial for administrators to ensure that these outdated components do not pose a security risk to their systems.

Recommended Actions

  1. Assess System Requirements: Before removing the Visual Studio 2008 runtimes, verify whether any other software on the system relies on these files. Removing the runtimes could potentially impact the functionality of other applications.

  2. Update to the Latest Version of ScrewDrivers: Ensure that all instances of ScrewDrivers software are updated to version 7.3.1 or higher. These versions do not use or install the Visual Studio 2008 runtimes.

  3. Install MFC Security Update: If the Visual Studio 2008 runtimes are required for other applications, it is advised to install the latest "MFC Security Update" available at Microsoft Download Center.

  4. Review the Security Bulletin: For more detailed information regarding the vulnerabilities and their impacts, review the complete security bulletin provided by Microsoft at MS09-035.

Conclusion

Administrators should take immediate steps to review their systems for the presence of the Visual Studio 2008 runtimes, assess the necessity of these components, and apply appropriate updates or security patches as needed. Regularly updating software and following security advisories are essential practices to mitigate potential vulnerabilities.