cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Updating curl.exe on Windows servers

PalmerEldritch
Copper Contributor

‎Apr 21 2023 12:58 PM

‎Apr 21 2023 12:58 PM

Updating curl.exe on Windows servers

Hi all,

 

We've been getting curl.exe coming up as a vulnerability in scans. Looks like this was added to Windows, but isn't really kept updated via MS update... seems like a bad practice. Anyway - what's the recommended way to update the curl.exe? Just manually replace the file with the latest version? Are there any potential issues that could arise from doing this? 

 

Thanks for any help.

Labels:
42.9K Views
1 Like
4 Replies
Reply
4 Replies
best response confirmed by PalmerEldritch (Copper Contributor)
AndrewT

‎Apr 24 2023 10:17 AM

‎Apr 24 2023 10:17 AM

Solution

Re: Updating curl.exe on Windows servers

@PalmerEldritch Daniel Stenberg the main developer behind cURL has addressed this in a blog post here - https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/

 

The TLDR is that manually modifying files inside the system folder is not supported and may cause future updates to fail. Microsoft has supposably shipped an updated cURL.exe in the April 2023 Cumulative. Update - are you still seeing a vulnerable version with the latest updates installed?

0 Likes
Reply
Alban1998

‎Apr 25 2023 12:11 AM

‎Apr 25 2023 12:11 AM

Re: Updating curl.exe on Windows servers

Hello,
Update curl.exe like you update all operating system files - by applying monthly cumulative updates (or other hotfixes provided by microsoft). Manually replacing the file will break Windows, don't do it.
0 Likes
Reply
PalmerEldritch

‎Apr 25 2023 01:47 PM

‎Apr 25 2023 01:47 PM

Re: Updating curl.exe on Windows servers

Thanks - I didn't want to attempt to manually update anything anyway. It just seems like a long time for this to be at a fairly old version. Hopefully MS remembers to keep it updated going forward. Odd that it finally was just in this month's patches. I'll check to see if it gets updated after the April update is applied.
1 Like
Reply
Bruce Bading

‎Oct 24 2023 05:06 PM

‎Oct 24 2023 05:06 PM

Re: Updating curl.exe on Windows servers

Do not try to update system32/curl.exe or delete it. It will cause issues with the OS including preventing it from updating. Contact Microsoft Security Response Center. This is the first time I have ever seen an OS vendor not update a critical vulnerability in the OS.

https://msrc.microsoft.com/report/vulnerability

 

We are giving Microsoft a specific amount of time to address this vulnerability and after a specific amount of time we will contact the CISA here (generally 45 days).

While the vulnerability has already been verified by the vendor, the problem here is that the vendor Danial Stenberg has released new versions regularly to address vulnerabilities. Microsoft has made it an integral part of the OS and has not kept it updated along with the advisories and Stenberg's patch cadence.

https://www.kb.cert.org/vuls/report/



0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by PalmerEldritch (Copper Contributor)
AndrewT

‎Apr 24 2023 10:17 AM

‎Apr 24 2023 10:17 AM

Solution

Re: Updating curl.exe on Windows servers

@PalmerEldritch Daniel Stenberg the main developer behind cURL has addressed this in a blog post here - https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/

 

The TLDR is that manually modifying files inside the system folder is not supported and may cause future updates to fail. Microsoft has supposably shipped an updated cURL.exe in the April 2023 Cumulative. Update - are you still seeing a vulnerable version with the latest updates installed?

View solution in original post

0 Likes
Reply