SEP11 and MS090-35

The vulnerability scanner is finding a bunch of systems with %windir%\system32\atl71.dll version 7.10.5057.0 and the registry key HKLM\Software\Microsoft\VisualStudio\7.1. This indicates that the system may be MS09-035 vulnerable. The patched version of atl71.dll is 7.10.6101.0.
I also have some systems that dont have that registry key but have atl71.dll.
I decided to do some testing to determine how the file is getting on the computer. We haven’t rolled out Visual Studio .Net 2003, but clearly some application is putting it there.
A clean load of XPsp3 has no atl71.dll is present on the system. However after installing Symantec Endpoint Protection 11, I find that I have atl71.dll. This test system does not have the registry key.
So it appears that Symantec is using Microsoft’s ATL library and distributing a vulnerable version of the DLL.
I couldn’t find anything about this at the Symantec forums or in the knowledgebase. I may have to open a support ticket. I’m not sure I’m prepared for that kind of crap shoot today.

Symantec now has a knowledgebase article available. See comments on this post.
Symantec reports they are not actually vulnerable. A future version of SEP will have a updated file to avoid the detection by vulnerability scanner.

3 Comments

Comments are closed.