20,220 questions
See here
Is there any particular KB that would take care of curl update to 8.4.0
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 37%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
Varma
1,495
Reputation points
Is there any particular KB that would take care of curl update to 8.4.0
if yes what is that KB number?
Windows for business | Windows Server | User experience | Other
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 32%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Michael Taylor 60,346 Reputation points2024-04-29T17:35:55.8533333+00:00 -
Varma 1,495 Reputation points
2024-04-29T18:01:43.1733333+00:00 HI Michael,
But document not show which KB is required exactly?
-
Michael Taylor 60,346 Reputation points
2024-04-29T18:06:36.7533333+00:00 The link I gave links to the CVE which is tied to the vulnerability that 8.4 is supposed to fix. If you go to the CVE page then it provides a list of the KBs/downloads for the various versions of Windows. You would use the version appropriate for your OS.
If you read the last comment in the same link then it also clarifies that
The update to curl 8.4.0 was already provided in November 2023 cumulative updates on November 14, 2023. So if you have the CU for Nov 2023 then the update is already applied. You can review that update to see what exact KB was installed that fixes the issue for your OS. -
Varma 1,495 Reputation points
2024-04-30T11:16:26.2433333+00:00 HI Michael,
I have gone through document, but Nov 14, 2023 release does not have any KB or not showing KB to download? or am i missing something?
-
Varma 1,495 Reputation points
2024-04-30T11:17:26.2866667+00:00 test123
-
Michael Taylor 60,346 Reputation points
2024-04-30T14:17:40.3566667+00:00 Did you look at the link I gave for the CVE with the links to the updates for each OS version? Does this not have what you need? I'm trying to figure out exactly why you're looking for a KB article. Do you not have the latest Windows update installed? It would have the fix.
-
Varma 1,495 Reputation points
2024-04-30T14:32:01.89+00:00 Hi Michael,
Okay, We use update manager and it is scheduled every week it includes all KBS. may be it might have missed because I am not able to figure out because when I verify history it is succeeded.
but not sure why few machines are not having curl 8.4.0
so now to fix that what is the KB i should use, i have gone through document but not much clear on which one to pick to fix this upgrade to 8.4.0
-
Michael Taylor 60,346 Reputation points
2024-04-30T14:38:52.4833333+00:00 What OS version and update is it missing on?
-
Varma 1,495 Reputation points
2024-04-30T15:02:28.2733333+00:00 I will check and let you know. thank you.
-
Varma 1,495 Reputation points
2024-05-07T19:44:14.1266667+00:00 Hi Michael,
Here is the OS and other details of virtual machines, in this case can you suggest which KB I need to install for the respective VM?
What I have noticed few machines are using windows 10 and windows server 2022
Looking forword to hear from you
-
Michael Taylor 60,346 Reputation points
2024-05-07T20:21:16.67+00:00 Wait a second. Only the first and last one's are actually going to be resolved by a KB. All the others are applications that ship with their own copy of the curl library and therefore don't use the version shipped with the OS.
The second and fifth one's are using Notepad++ that ships with libcurl. To fix those you'll need to update Notepad++ on these machines. Based upon the version these are really, really out of date. Update to the latest version of Notepad++ to resolve this issue, hopefully.
The third one appears to be a SalesForce addin for Office. It is also using its own copy of curl so you'll need to update the addin to a newer version, assuming they have fixed it.
The fourth one is VS2019. I cannot find any mention of VS 2019 updates with curl but based upon the path it looks like the Git workload. Update your instance of VS 2019 to the latest update and see if that resolves your issue.
For Windows 10 it looks like you're on 22H2 so the KB is KB5032189. Or install Nov 2023 update or newer.
For Server 2022 it appears the KB is KB5032198.
-
Varma 1,495 Reputation points
2024-05-08T02:30:41.9533333+00:00 HI Michael,
Thank you.
1.
so updating notepad++ will take care of updating curl also?
2.
Regarding Sales force adding for office, what exactly I need to udpate here?so whatever I am going to do with office version does it take care of curl update also?
3.
and can you suggest for below machine as well?
-
Michael Taylor 60,346 Reputation points
2024-05-08T14:04:32.32+00:00 - No, updating Notepad++ won't touch curl.exe which ships with the OS. The error report you posted didn't mention the OS as having an issue. What it found was an app that uses the curl library (where the vulnerability is at). Updating Notepad++ should resolve that vulnerability in the app and remove it from your list. When you rerun your analysis it may then complain about something else (I don't know how your tool works).
- I have no knowledge of SalesForce but I assume that toolset is installed on the machine. You'll need to look on the machine for any SalesForce related stuff (or ask someone who probably installed it) and update it. This is not part of Office proper AFAIK so MS doesn't have any updates for it.
- This is the MS Teams Windows Store app. Update the app.
Please note that the assumption with security is that you're keeping all your apps up to date. It doesn't look like these machines have any sort of application updates applied and therefore are vulnerable. You should review all your machines and ensure they are running the latest update for any installed software (Microsoft or otherwise). This should resolve your issue. Windows Updates will only handle Windows components and, if opted in, MS products that are on the Windows Update catalog. The bulk of your apps won't be in that list.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 87%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Shyam Kumar 866 Reputation points2024-05-20T16:19:04.07+00:00 Hi Michael,
1.
So i see following is the notepad++ version in the machine.
so updating it to latest notepad ++ will it fix the below vulnerabilities?
- What about MS office, what is the fix for MS office to fix vulnerabilities?
- MS teams windows app, do I need to update from inside machine?
- and what is the fix for below visual studo to resolve vulnerability?
5.
What about GIT below one , to fix below vulnerbilty, what step should be taken?
Looking Forword for your response, thank you.
-
Michael Taylor 60,346 Reputation points
2024-05-20T17:49:08.2633333+00:00 Unfortunately you'll need to check with each of the program provides to see whether they've resolved it. Here's some starter links.
- Notepad++ forum question
- This isn't an Office issue I believe but an issue with whatever SalesForce component is being installed on that machine. My copy of Office doesn't have SalesForce so I don't know what company-specific addins you may have installed. You should contact whoever needs that functionality and ask them. If nobody needs it then remove it. Just looking at the path it looks like somebody installed an ODBC driver to talk to SalesForce.
- Yes you should update this tool (or let Windows Update do it for you).
- Install the latest update to VS 2019. My version of VS 2019 has curl 8.4 so it was part of one of the VS updates.
- Git is explicitly installed on the machine so you need to update the installed version of Git. The latest Git version is available here. Install it and it'll update the binaries.
-
Shyam Kumar 866 Reputation points
2024-05-20T18:42:11.83+00:00 HI Michael,
Thank you.
Just quick 2 follow up questions, could you please clarify
1.
All above machines are with curl 8.4.0 which is latest version but what security team is mentioning that why it referring older versions in the respective paths so which causing alert generation under critical category. Please suggest fix for this.
2.
with respect to notepad ++, so I need to update the notepad++ to latest, am I correct? OR do I need to raise request in the github wingup which you have given?
what I noticed below is version in the respective machines
-
Michael Taylor 60,346 Reputation points
2024-05-20T19:06:03.43+00:00 - Again, curl.exe is what is installed and updated by Windows. If you ask for the version of curl on a machine then that is what you get. That binary was updated to resolve the issue with the Nov 2023 update. However many apps use curl functionality but not the curl.exe. They use the underlying curl library (libcurl.dll). Since the CVE is actually in the DLL then every app that uses libcurl has to be updated as well. This includes Notepad++. Updating Windows only resolves the issue for when you run curl yourself, not when an app runs curl directly using the curl library that it installed.
- Update Notepad++ to the latest version and it should then be using the 8.4 version of libcurl.dll.
- The machine you took the screenshot of has the curl.exe 8.4.0 version which means it likely has the Nov 2023 update. That machine also has Notepad++ 8.5.6 installed. That version was released Aug of last year. I don't know what version of Notepad++ has the fix in it. I know the latest version seems fine.
-
Shyam Kumar 866 Reputation points
2024-05-20T20:59:41.81+00:00 Hi Michael,
thank you for detailed information
all above machines are manually updated to latest patches using update manager
and all above are having 8.4.0
In that case
1.
So my doubt is how/why upgrading above software will fix the vulnerabilities? When machines patches are already up to date and curl is already having latest version.
- what is the relation between software and curl here ? Why when curl is already latest why software version upgrade has to be considered to fix vulnerabilities?
could you please clarify ?
-
Michael Taylor 60,346 Reputation points
2024-05-20T21:39:08.66+00:00 That's what I keep trying to explain. I'm not explaining myself clearly so let's try this again. Curl.exe (the software you are updating with Windows updates is just a program that wraps the libcurl library. The libcurl library is where the vulnerability resides. Many applications ship and use libcurl themselves including Notepad++, VS 2019 and Teams. Each program has its own copy of the library. Therefore each application that uses that library is vulnerable. Applying the Windows update just fixes the curl.exe that ships with Windows. It doesn't fix all the other software that include their own version of the library. There is no way for the updater to know what other programs are using the library, what version of the library they depend on and whether updating the library would break the app. So the only thing the Windows updater can do is update the one version that it knows about, curl.exe. Most software works this way. It is a tradeoff between relying on software provided by the OS to reduce space at the expense of being broken when a random system update makes a change to something you rely on.
Let me try an alternative approach. You have a cell phone I assume. Let's suppose that your phone uses program A which relies on library X. Since library X may or may not be on the phone yet and you want to ensure that the version you tested with is available you have a copy of library X as part of your program. Programs B and C do the same thing. So there are 3 copies of library X on your phone, potentially different versions but all independent of each other. You'd be shocked if you updated program B and program C stopped working. Hence the dependencies are isolated.
Now, this library is so useful that the core phone software starts shipping a version of library X. Applications now have to decided - use the version that ships with the phone and risk being broken when a phone update occurs or continue to use a version they tested with and ship it with the product. A few years down the road and a security vulnerability is found. The phone software is updated so any app that relies on the phone version is now secure but any app that didn't do that is now vulnerable and must also provide their own update. That is the situation going on here.
Why would software not "switch to" the phone version? Several reasons as already mentioned: 1) relying on a shared version means the app may break if the shared version is updated. 2) testing all possible versions that could be available based upon phone versions is incredibly time consuming. 3) the software may rely on features that are deprecated or potentially removed in newer versions and therefore need a specific version. 4) if the software support different phone versions and not all phone versions have the shared library then the installer needs to install it which makes installation more complex.
-
Shyam Kumar 866 Reputation points
2024-05-20T21:56:22.98+00:00 Hi Michael,
I got most of the concept now. Thank you. Could you please clarify my 2 follow up questions.
so I will ask developers to update git, office, teams , vs studio , notepad ++ to latest software on their respective machines then…. Hope that’s good idea and won’t break anything.. 1
VS studio is already having latest version of 2019 as per my screenshot
then why we need to update to 2019 ?
- I tried to update the notepad ++ but came up with following error. Please suggest
-
Shyam Kumar 866 Reputation points
2024-05-21T06:47:08.5366667+00:00 Hi Michael,
I have edited my previous comment, could you please suggest.
-
Michael Taylor 60,346 Reputation points
2024-05-21T14:20:44.8166667+00:00 I don't see the version of your VS 2019. My version is 16.11.35 (although there is a newer version now) and my version is 8.4.0 of the curl library which should have the fix. Note that this is part of the Git implementation for Team Explorer. If you're not using any of that then it might not even be relevant.
For notepad++ download issues you'll need to contact that team. It might just be easier to download the installer from their site and then run it. It'll update the existing install if it finds one.
-
Varma 1,495 Reputation points
2024-05-21T14:30:58.86+00:00 Test 123
-
Varma 1,495 Reputation points
2024-05-22T05:14:15.67+00:00 HI Michael,
one of developer tried to update VS2019? is below method correct one? which he implemented, could you please confirm
-
Michael Taylor 60,346 Reputation points
2024-05-22T16:08:07.1333333+00:00 Yes the VS Installers is how Visual Studio updates are handled. Once the installer is complete then the software should be up to date. Note that the screen you didn't show is the initial screen where it lists all the VS installations on a machine. Ensure you update all instances.
-
Varma 1,495 Reputation points
2024-05-22T16:10:28.4033333+00:00 test123
-
Varma 1,495 Reputation points
2024-05-22T16:18:48.3+00:00 HI Michael,
After installation showing below one, hope below indicates successfully done?
and 2nd query is
I am not clear on below comment you have given.
For notepad++ download issues you'll need to contact that team. It might just be easier to download the installer from their site and then run it. It'll update the existing install if it finds one.
it is developer machine where we are trying to update notepad ++ , where already notepad ++ is there
A. which site it is ?
B. Do we have way to check What url is notepad++ hitting to update?
-
Michael Taylor 60,346 Reputation points
2024-05-22T19:37:56.98+00:00 VS installation is at 16.11.36 which is the latest release.
Notepad++ downloads are available here.
I don't know what URL Notepad++ is trying to hit but I'm aware that some people have had issues trying to update it. Just downloading the updated version manually is a workaround and should be fine.
Sign in to comment -