cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Removal of msvcr71.dll

Go to solution
Former Member

on ‎10-20-2014 10:22 PM

0 Kudos

In the interest of securing platforms, we desire to remove msvcr71.dll entirely from systems.  This legacy file has been used in multiple exploits as it is a prime candidate for mining gadgets in ROP type attacks.

I see that even the latest versions of PowerBuilder seem to depend on this legacy file.  msvcr100.dll is also included, however.  I find it confusing that 2 different versions of the C Runtime are required.

Is it possible to use, build, and deploy applications with PowerBuilder using only the msvcr100.dll version of the C Runtime?

Alternatively, if there is a way to enforce ASLR on the msvcr71.dll can that be done through PowerBuilder?

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎10-21-2014 1:17 PM
0 Kudos

Your best bet would be to try taking a copy of msvcr100 and rename it as msvcr71 and see if PowerBuilder runs OK.

You should submit a support ticket to point out the security issues with the older C Runtime and hopefully in the next MR or Major version they will upgrade.

Show replies
Show replies
Former Member
‎10-21-2014 3:08 PM
0 Kudos

I believe according to SAP Help documentation that the latest version of PowerBuilder 12.6 no longer needs msvcr71.dll and uses msvcr100.dll.  So this may be already addressed.

Former Member
‎10-21-2014 10:10 PM
0 Kudos

Looking at the SAP support page for version 12.6, it appears that the version 71 files are still required for PB Classic and not for .NET.

Issue 677259

Windows Forms and Web Forms require two DLLs, in addition to DLLs currently listed:msvcr100.dll and msvcp100.dll. The documentation was updated in the PowerBuilder .NET Features Guide and Deploying Applications to .NET; however, it has not been updated in Application Techniques.

In Application Techniques, everywhere that msvcr71.dll and msvcp71.dll are listed, add msvcr100.dll and msvcp100.dll to the required DLLs.

Randy

Former Member
‎10-21-2014 10:21 PM
0 Kudos

Just read this and it appears that the version 71 files are not needed for any deployment, just the version 100 files.

==

Visual C++ Runtime and the Active Template Library

When you deploy the core PowerBuilder runtime files, make sure the msvcr100.dll and msvcp100.dll  Microsoft Visual C++ runtime libraries and the Microsoft .NET Active Template Library (ATL) module, atl100.dll, are present on the user’s computer or server.

The PowerBuilder runtime files have a runtime dependency on these files and they are required for all applications and components that require the PowerBuilder runtime. You can obtain these files from DLL archive Web sites at http://dlldump.com or http://driverskit.com/ .

===

I have yet to get a version 12.6 application ready for deployment to test this.  It would be nice to know if the Classic version only uses the 100 version DLLs.

Randy

Former Member
‎10-22-2014 10:41 PM
0 Kudos

If you have Visual Studio, there is a utility called Depends. You might be able to download it independently.

Among other things it shows what other DLL files a DLL is dependent on.

former_member190719
Active Contributor
‎10-23-2014 5:49 AM
0 Kudos

Actually, I don't believe it's part of Visual Studio.  I've always downloaded it seperately.

http://www.dependencywalker.com/

Former Member
‎10-23-2014 9:23 AM
0 Kudos

A long time ago, it was distributed in the "companion debug tools" of VS :

  • in Microsoft Visual Studio\Common\Tools\ for Visual Studio 6
  • in Microsoft Visual Studio 8\Common7\Tools\Bin\ for Visual Studio 2006

I cannot tell for later versions as I have only Express flavors and it seems that there are less tools delivered with them.

Former Member
‎07-28-2015 3:12 PM
0 Kudos

Charles, does your advice (below) only apply to PB 12.6? We use 12.5 but have been alerted to vulnerabilities within this DLL by a new tool we use. I wondering if it's possible to fix or workaround it without upgrading to 12.6 (or away from 12.5 at least).

"Just read this and it appears that the version 71 files are not needed for any deployment, just the version 100 files."

thanks

Andrew Scott

Former Member
‎07-31-2015 7:54 PM
0 Kudos

Hi Andrew,

Version 12.5 requires the version 7 Microsoft files.  Version 12.6 does not and requires the version 100 files as best as I can tell.

Randy

Answers (0)

Ask a Question