OpenSSL was not installed separately from the Microsoft Windows 10 OS. Will Microsoft be incorporating an update to OpenSSL in September 2023's Cumulative Update? Patching separately is not the right answer.

Question

OpenSSL was not installed separately from the Microsoft Windows 10 OS. Will Microsoft be incorporating an update to OpenSSL in September 2023's Cumulative Update? Patching separately is not the right answer.

Horstman, Tracy [US-US] 20

Issue is OpenSSL is part of the OS and patches for it is expected to be provided by the OS provider, Microsoft. My question is to address expectations that Microsoft will provide the update to OpenSSL as well as curl. August 2023 update did not include these updates.

Accepted answer

2 additional answers

Your answer

Answer 1

OpenSSL is part of the OS

How did you determine that OpenSSL is part of Windows?

Open a Powershell prompt with "run as administrator" and paste in these commands.

(Get-ChildItem -Path c:\ -Filter libssl* -recurse -force -file -ea SilentlyContinue).fullname
(Get-ChildItem -Path c:\ -Filter openssl* -recurse -force -directory -ea SilentlyContinue).fullname

On my Win10 VM, I found the .dll in a VMWare tools folder and in what appears to be a OneDrive setup folder.

PS C:\> (Get-ChildItem -Path c:\ -Filter libssl* -recurse -force -file -ea SilentlyContinue).fullname
C:\Program Files\VMware\VMware Tools\VMware VGAuth\libssl-3-x64.dll
C:\Users\TestUser\AppData\Local\Microsoft\OneDrive\23.137.0702.0001\libssl-1_1-x64.dll
PS C:\> (Get-ChildItem -Path c:\ -Filter openssl* -recurse -force -directory -ea SilentlyContinue).fullname
PS C:\>
PS C:\>

On my Win11 laptop, I found multiple instances. It appears that OpenSSL comes bundled (a run time version?) with other software products.

The only reference to Windows\System32 has iclsclient in the name. An internet search says that that is related to the Intel Trusted Connect Service Client.

I would expect these dll's to get updated as part of an update to the individual software products, like VMWare Player, not via Windows itself.

PS C:\> (Get-ChildItem -Path c:\ -Filter libssl* -recurse -force -file -ea SilentlyContinue).fullname
C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll
C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\libssl-1_1-x64.dll
C:\Program Files\Microsoft OneDrive\23.153.0724.0003\libssl-1_1-x64.dll
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw64\bin\libssl-1_1-x64.dll
C:\Program Files (x86)\Nmap\libssl-3.dll
C:\Program Files (x86)\VMware\VMware Player\libssl-1_1.dll
C:\Program Files (x86)\VMware\VMware Player\x64\libssl-1_1-x64.dll
C:\Windows\System32\DriverStore\FileRepository\iclsclient.inf_amd64_a93205b6238060e4\lib\libssl-1_1-x64.dll
PS C:\> (Get-ChildItem -Path c:\ -Filter openssl* -recurse -force -directory -ea SilentlyContinue).fullname
C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Redshift\lib\OpenSSL64.DllA
C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA
C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\mingw64\share\licenses\openssl
C:\Program Files\Microsoft Visual Studio\2022\Community\Common7\IDE\CommonExtensions\Microsoft\TeamFoundation\Team Explorer\Git\usr\share\licenses\openssl
PS C:\>

What files/folders do you find?

Answer 2

Limitless Technology 44,766

Hello there,

Microsoft typically provides security updates for the components that are built into Windows 10 itself. If OpenSSL was not originally included as part of the Windows 10 installation and you require updates for it, you might need to obtain those updates separately from the OpenSSL project itself or from the vendor that provides the software utilizing OpenSSL.

Similar discussion here https://answers.microsoft.com/en-us/msoffice/forum/all/365-defender-detecting-out-of-date-openssl-version/308b7e29-695b-48a9-98c7-adbf880e3b38

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–

Horstman, Tracy [US-US] 20 Reputation points

2023-08-16T12:00:04.7233333+00:00

As stated in the suggested answer, "If OpenSSL was not originally included as part of the Windows 10 installation" -- It was included as part of the Windows 10 installation and not installed separately. It's not listed under Apps, not listed nor under Windows Features. Unsure where else to look which leads me to believe it's part of the OS.
Horstman, Tracy [US-US] 20 Reputation points

2023-08-28T11:37:54.6566667+00:00

Thank you for the information to find out if it is part of the OS or not. From here, I'll be able to communicate with the SAs what is expected of them

Answer 3

Horstman, Tracy [US-US] 20

Using the Accepted Answer, I was able to determine if the OpenSSL was part of the OS or part of another product. Like the Accepted Answer, it's the Intel Trusted Connect Service Client being detected by Tenable as outdated OpenSSL.

Share via

OpenSSL was not installed separately from the Microsoft Windows 10 OS. Will Microsoft be incorporating an update to OpenSSL in September 2023's Cumulative Update? Patching separately is not the right answer.

2 additional answers

Your answer