Forum Discussion
OpenSSL
I found this bit of PowerShell which when run as admin will let you know where and what is installed, run from root of c:
PS C:\> Get-childItem libssl* -Recurse -ErrorAction SilentlyContinue | select versioninfo -ExpandProperty versioninfo | sort ProductVersion,Filename | ft -auto
For me it found mostly windows software without update options.
The ones at issue are
My best actions so far include
- delete C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\ (we dont use salesforce)
- Update everything (zoom especially)
- Install OpenSSL v 3.2.1 from a trusted repository. (or you could make your own from source)
Now I'm waiting for Microsoft to update the libraries for
- Onedrive
- C:\Windows\System32\DriverStore\FileRepository\iclsclient
fatherosam_1 - The February version of Power BI Desktop has updated the OpenSSL from 3.0.9 to 3.0.11 but that is still vulnerable. The latest secure version is 3.0.13.
Have you reported the Microsoft applications to MSRC? I was able to get them to accept a report for CURL last year but they didn't accept for Power BI when I tried.
Not yet - I have raised it more generally.
And so far I'm on my third hand off (not our area I'll pass you onto ...)
with MS Support
I have found vulnerable editions in system32 drivers, onedrive sync libraries and office ODBC, along with Power bi and others
I'll just keep answering questions until someone finally takes it on