Hi @ll, this is part 2 of "Defense in depth -- the Microsoft way", see On Windows NT 5.x the current "Microsoft Security Essentials" v4.2 (available from , and offered as optional update KB2804527 via "Microsoft Update) as well as MANY other Microsoft products [*] install outdated and vulnerable Microsoft Visual C++ Runtime Libraries MSVC?80.DLL v8.0.50727.42 | C:\>filever /S %SystemRoot%\msvc?80.dll | c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvc* | --a-- W32i DLL ENU 8.0.50727.42 shp 479,232 09-22-2005 msvcm80.dll | --a-- W32i DLL ENU 8.0.50727.42 shp 548,864 09-22-2005 msvcp80.dll | --a-- W32i DLL ENU 8.0.50727.42 shp 626,688 09-22-2005 msvcr80.dll These libraries come as part of the bundled component "Microsoft Application Error Reporting"; its installer DW20Shared.msi contains the outdated and vulnerable libraries (which are installed even if a newer version is already present) in form of an MSI merge module which in turn is part of Visual C++/Studio 2005 RTM, whose support ended 2008-01-08, see Current and supported versions of Visual C++/Studio 2005 SP1 come with updated MSI merge modules, see These libraries (as well as the MSI merge module) have been updated multiple times since: see (alias MS09-035) (alias MS11-025) (alias MS11-025) Due to the end-of-life condition of Visual C++/Studio 2005 RTM the security bulletins MS09-035 and MS11-025 dont list these old versions any more. The FAQ section of says: | In the case where a system has no MFC applications currently installed | but does have the vulnerable Visual Studio or Visual C++ runtimes | installed, Microsoft recommends that users install this update as a | defense-in-depth measure, in case of an attack vector being introduced | or becoming known at a later time. Of course the same holds for ATL applications (where MS09-035 recommends | Developers who have built components and controls using ATL should | download this update and recompile their components and controls | following the guidance provided in the following MSDN article. and refers to ) and CRT applications too. The outdated and vulnerable libraries are NOT detected by the Windows Update Agent and thus not replaced with their current version. The VERY simple fix/mitigation: either uninstall DW20Shared.msi (run MSIEXEC.EXE /X {95120000-00B9-0409-0000-0000000FF1CE}) or install the current MSVC++ 2005 Runtime Redistributable, see Timeline: 2012-06-18 vendor informed 2012-06-20 vendor acknowledges receipt 2012-06-20 sent additional info (log files) 2012-08-01 vendor replies: not reproducible on Windows 7 2012-08-02 sent additional info: only Windows XP and Server 2003 are affected, can be seen in the log files sent before 2012-10-09 sent additional info: (3rd party) products which dont ship a current MSVC++ 2005 Runtime are affected too 2012-11-29 vendor replies: not able to find vulnerabilities 2012-11-29 asked vendor what MS09-035 and MS11-025 are good for then, and for the purpose of their recommendations and FAQ ... 2013-06-03 report published Stefan Kanthak [*] DW20Shared.msi is bundled with numerous other Microsoft products too, including * Windows Defender * Forefront Security ... * Office 2003 (and every single component of it, Word, Excel, PowerPoint, Outlook, Visio, Access, Publisher, OneNote, Project, ...) * Office 2007 (and every single component of it, Word, Excel, PowerPoint, Outlook, Visio, Access, Publisher, OneNote, Project, ...) * Office 2010 (and every single component of it, Word, Excel, PowerPoint, Outlook, Visio, Access, Publisher, OneNote, Project, ...) * Office Communicator 2005 * Office Groove 2007 * Groove Server 2010 * Sharepoint Services 2.0 * Sharepoint Services 3.0 * SharePoint Designer 2007 * SharePoint Foundation 2010 * SharePoint Server 2010 * SQL Server 2005 Native Client * SQL Server 2008 Native Client * SQL Server 2010 Native Client * SQL Server 2012 Native Client * SQL Server Compact 3.5 * .NET Framework 2.0 * .NET Framework 3.0 * .NET Framework 3.5 ... Other products which dont ship with the MSVC++ 2005 Runtime (like the MDI to TIFF converter, see ) use the outdated and vulnerable libraries too.