See here
Is there any particular KB that would take care of curl update to 8.4.0
Is there any particular KB that would take care of curl update to 8.4.0
if yes what is that KB number?
Windows Server
1 answer
Sort by: Most helpful
-
Michael Taylor 49,076 Reputation points
2024-04-29T17:35:55.8533333+00:00 -
Varma 1,190 Reputation points
2024-04-29T18:01:43.1733333+00:00 HI Michael,
But document not show which KB is required exactly?
-
Michael Taylor 49,076 Reputation points
2024-04-29T18:06:36.7533333+00:00 The link I gave links to the CVE which is tied to the vulnerability that 8.4 is supposed to fix. If you go to the CVE page then it provides a list of the KBs/downloads for the various versions of Windows. You would use the version appropriate for your OS.
If you read the last comment in the same link then it also clarifies that
The update to curl 8.4.0 was already provided in November 2023 cumulative updates on November 14, 2023
. So if you have the CU for Nov 2023 then the update is already applied. You can review that update to see what exact KB was installed that fixes the issue for your OS. -
Varma 1,190 Reputation points
2024-04-30T11:16:26.2433333+00:00 HI Michael,
I have gone through document, but Nov 14, 2023 release does not have any KB or not showing KB to download? or am i missing something?
-
Varma 1,190 Reputation points
2024-04-30T11:17:26.2866667+00:00 test123
-
Michael Taylor 49,076 Reputation points
2024-04-30T14:17:40.3566667+00:00 Did you look at the link I gave for the CVE with the links to the updates for each OS version? Does this not have what you need? I'm trying to figure out exactly why you're looking for a KB article. Do you not have the latest Windows update installed? It would have the fix.
-
Varma 1,190 Reputation points
2024-04-30T14:32:01.89+00:00 Hi Michael,
Okay, We use update manager and it is scheduled every week it includes all KBS. may be it might have missed because I am not able to figure out because when I verify history it is succeeded.
but not sure why few machines are not having curl 8.4.0
so now to fix that what is the KB i should use, i have gone through document but not much clear on which one to pick to fix this upgrade to 8.4.0
-
Michael Taylor 49,076 Reputation points
2024-04-30T14:38:52.4833333+00:00 What OS version and update is it missing on?
-
Varma 1,190 Reputation points
2024-04-30T15:02:28.2733333+00:00 I will check and let you know. thank you.
-
Varma 1,190 Reputation points
2024-05-07T19:44:14.1266667+00:00 Hi Michael,
Here is the OS and other details of virtual machines, in this case can you suggest which KB I need to install for the respective VM?
What I have noticed few machines are using windows 10 and windows server 2022
Looking forword to hear from you
-
Michael Taylor 49,076 Reputation points
2024-05-07T20:21:16.67+00:00 Wait a second. Only the first and last one's are actually going to be resolved by a KB. All the others are applications that ship with their own copy of the curl library and therefore don't use the version shipped with the OS.
The second and fifth one's are using Notepad++ that ships with libcurl. To fix those you'll need to update Notepad++ on these machines. Based upon the version these are really, really out of date. Update to the latest version of Notepad++ to resolve this issue, hopefully.
The third one appears to be a SalesForce addin for Office. It is also using its own copy of curl so you'll need to update the addin to a newer version, assuming they have fixed it.
The fourth one is VS2019. I cannot find any mention of VS 2019 updates with curl but based upon the path it looks like the Git workload. Update your instance of VS 2019 to the latest update and see if that resolves your issue.
For Windows 10 it looks like you're on 22H2 so the KB is KB5032189. Or install Nov 2023 update or newer.
For Server 2022 it appears the KB is KB5032198.
-
Varma 1,190 Reputation points
2024-05-08T02:30:41.9533333+00:00 HI Michael,
Thank you.
1.
so updating notepad++ will take care of updating curl also?
2.
Regarding Sales force adding for office, what exactly I need to udpate here?so whatever I am going to do with office version does it take care of curl update also?
3.
and can you suggest for below machine as well?
-
Michael Taylor 49,076 Reputation points
2024-05-08T14:04:32.32+00:00 - No, updating Notepad++ won't touch curl.exe which ships with the OS. The error report you posted didn't mention the OS as having an issue. What it found was an app that uses the curl library (where the vulnerability is at). Updating Notepad++ should resolve that vulnerability in the app and remove it from your list. When you rerun your analysis it may then complain about something else (I don't know how your tool works).
- I have no knowledge of SalesForce but I assume that toolset is installed on the machine. You'll need to look on the machine for any SalesForce related stuff (or ask someone who probably installed it) and update it. This is not part of Office proper AFAIK so MS doesn't have any updates for it.
- This is the MS Teams Windows Store app. Update the app.
Please note that the assumption with security is that you're keeping all your apps up to date. It doesn't look like these machines have any sort of application updates applied and therefore are vulnerable. You should review all your machines and ensure they are running the latest update for any installed software (Microsoft or otherwise). This should resolve your issue. Windows Updates will only handle Windows components and, if opted in, MS products that are on the Windows Update catalog. The bulk of your apps won't be in that list.
-
Diptesh Kumar 101 Reputation points
2024-05-20T16:19:04.07+00:00 Hi Michael,
1.
So i see following is the notepad++ version in the machine.
so updating it to latest notepad ++ will it fix the below vulnerabilities?
- What about MS office, what is the fix for MS office to fix vulnerabilities?
- MS teams windows app, do I need to update from inside machine?
- and what is the fix for below visual studo to resolve vulnerability?
5.
What about GIT below one , to fix below vulnerbilty, what step should be taken?
Looking Forword for your response, thank you.
-
Michael Taylor 49,076 Reputation points
2024-05-20T17:49:08.2633333+00:00 Unfortunately you'll need to check with each of the program provides to see whether they've resolved it. Here's some starter links.
- Notepad++ forum question
- This isn't an Office issue I believe but an issue with whatever SalesForce component is being installed on that machine. My copy of Office doesn't have SalesForce so I don't know what company-specific addins you may have installed. You should contact whoever needs that functionality and ask them. If nobody needs it then remove it. Just looking at the path it looks like somebody installed an ODBC driver to talk to SalesForce.
- Yes you should update this tool (or let Windows Update do it for you).
- Install the latest update to VS 2019. My version of VS 2019 has curl 8.4 so it was part of one of the VS updates.
- Git is explicitly installed on the machine so you need to update the installed version of Git. The latest Git version is available here. Install it and it'll update the binaries.
-
Diptesh Kumar 101 Reputation points
2024-05-20T18:42:11.83+00:00 HI Michael,
Thank you.
Just quick 2 follow up questions, could you please clarify
1.
All above machines are with curl 8.4.0 which is latest version but what security team is mentioning that why it referring older versions in the respective paths so which causing alert generation under critical category. Please suggest fix for this.
2.
with respect to notepad ++, so I need to update the notepad++ to latest, am I correct? OR do I need to raise request in the github wingup which you have given?
what I noticed below is version in the respective machines
-
Michael Taylor 49,076 Reputation points
2024-05-20T19:06:03.43+00:00 - Again, curl.exe is what is installed and updated by Windows. If you ask for the version of curl on a machine then that is what you get. That binary was updated to resolve the issue with the Nov 2023 update. However many apps use curl functionality but not the curl.exe. They use the underlying curl library (libcurl.dll). Since the CVE is actually in the DLL then every app that uses libcurl has to be updated as well. This includes Notepad++. Updating Windows only resolves the issue for when you run curl yourself, not when an app runs curl directly using the curl library that it installed.
- Update Notepad++ to the latest version and it should then be using the 8.4 version of libcurl.dll.
- The machine you took the screenshot of has the curl.exe 8.4.0 version which means it likely has the Nov 2023 update. That machine also has Notepad++ 8.5.6 installed. That version was released Aug of last year. I don't know what version of Notepad++ has the fix in it. I know the latest version seems fine.
-
Diptesh Kumar 101 Reputation points
2024-05-20T20:59:41.81+00:00 Hi Michael,
thank you for detailed information
all above machines are manually updated to latest patches using update manager
and all above are having 8.4.0
In that case
1.
So my doubt is how/why upgrading above software will fix the vulnerabilities? When machines patches are already up to date and curl is already having latest version.
- what is the relation between software and curl here ? Why when curl is already latest why software version upgrade has to be considered to fix vulnerabilities?
could you please clarify ?
-
Michael Taylor 49,076 Reputation points
2024-05-20T21:39:08.66+00:00 That's what I keep trying to explain. I'm not explaining myself clearly so let's try this again. Curl.exe (the software you are updating with Windows updates is just a program that wraps the libcurl library. The libcurl library is where the vulnerability resides. Many applications ship and use libcurl themselves including Notepad++, VS 2019 and Teams. Each program has its own copy of the library. Therefore each application that uses that library is vulnerable. Applying the Windows update just fixes the curl.exe that ships with Windows. It doesn't fix all the other software that include their own version of the library. There is no way for the updater to know what other programs are using the library, what version of the library they depend on and whether updating the library would break the app. So the only thing the Windows updater can do is update the one version that it knows about, curl.exe. Most software works this way. It is a tradeoff between relying on software provided by the OS to reduce space at the expense of being broken when a random system update makes a change to something you rely on.
Let me try an alternative approach. You have a cell phone I assume. Let's suppose that your phone uses program A which relies on library X. Since library X may or may not be on the phone yet and you want to ensure that the version you tested with is available you have a copy of library X as part of your program. Programs B and C do the same thing. So there are 3 copies of library X on your phone, potentially different versions but all independent of each other. You'd be shocked if you updated program B and program C stopped working. Hence the dependencies are isolated.
Now, this library is so useful that the core phone software starts shipping a version of library X. Applications now have to decided - use the version that ships with the phone and risk being broken when a phone update occurs or continue to use a version they tested with and ship it with the product. A few years down the road and a security vulnerability is found. The phone software is updated so any app that relies on the phone version is now secure but any app that didn't do that is now vulnerable and must also provide their own update. That is the situation going on here.
Why would software not "switch to" the phone version? Several reasons as already mentioned: 1) relying on a shared version means the app may break if the shared version is updated. 2) testing all possible versions that could be available based upon phone versions is incredibly time consuming. 3) the software may rely on features that are deprecated or potentially removed in newer versions and therefore need a specific version. 4) if the software support different phone versions and not all phone versions have the shared library then the installer needs to install it which makes installation more complex.
-
Diptesh Kumar 101 Reputation points
2024-05-20T21:56:22.98+00:00 Hi Michael,
I got most of the concept now. Thank you.
so I will ask developers to update git, office, teams , vs studio , notepad ++ to latest software on their respective machines then…. Hope that’s good idea and won’t break anything..
Sign in to comment -