on 10-20-2014 10:22 PM
In the interest of securing platforms, we desire to remove msvcr71.dll entirely from systems. This legacy file has been used in multiple exploits as it is a prime candidate for mining gadgets in ROP type attacks.
I see that even the latest versions of PowerBuilder seem to depend on this legacy file. msvcr100.dll is also included, however. I find it confusing that 2 different versions of the C Runtime are required.
Is it possible to use, build, and deploy applications with PowerBuilder using only the msvcr100.dll version of the C Runtime?
Alternatively, if there is a way to enforce ASLR on the msvcr71.dll can that be done through PowerBuilder?
Your best bet would be to try taking a copy of msvcr100 and rename it as msvcr71 and see if PowerBuilder runs OK.
You should submit a support ticket to point out the security issues with the older C Runtime and hopefully in the next MR or Major version they will upgrade.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Looking at the SAP support page for version 12.6, it appears that the version 71 files are still required for PB Classic and not for .NET.
Issue 677259
Windows Forms and Web Forms require two DLLs, in addition to DLLs currently listed:msvcr100.dll and msvcp100.dll. The documentation was updated in the PowerBuilder .NET Features Guide and Deploying Applications to .NET; however, it has not been updated in Application Techniques.
In Application Techniques, everywhere that msvcr71.dll and msvcp71.dll are listed, add msvcr100.dll and msvcp100.dll to the required DLLs.
Randy
Just read this and it appears that the version 71 files are not needed for any deployment, just the version 100 files.
==
Visual C++ Runtime and the Active Template Library
When you deploy the core PowerBuilder runtime files, make sure the msvcr100.dll and msvcp100.dll Microsoft Visual C++ runtime libraries and the Microsoft .NET Active Template Library (ATL) module, atl100.dll, are present on the user’s computer or server.
The PowerBuilder runtime files have a runtime dependency on these files and they are required for all applications and components that require the PowerBuilder runtime. You can obtain these files from DLL archive Web sites at http://dlldump.com or http://driverskit.com/ .
===
I have yet to get a version 12.6 application ready for deployment to test this. It would be nice to know if the Classic version only uses the 100 version DLLs.
Randy
Actually, I don't believe it's part of Visual Studio. I've always downloaded it seperately.
A long time ago, it was distributed in the "companion debug tools" of VS :
I cannot tell for later versions as I have only Express flavors and it seems that there are less tools delivered with them.
Charles, does your advice (below) only apply to PB 12.6? We use 12.5 but have been alerted to vulnerabilities within this DLL by a new tool we use. I wondering if it's possible to fix or workaround it without upgrading to 12.6 (or away from 12.5 at least).
"Just read this and it appears that the version 71 files are not needed for any deployment, just the version 100 files."
thanks
Andrew Scott
User | Count |
---|---|
95 | |
11 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.