Apr 21 2023 12:58 PM
Hi all,
We've been getting curl.exe coming up as a vulnerability in scans. Looks like this was added to Windows, but isn't really kept updated via MS update... seems like a bad practice. Anyway - what's the recommended way to update the curl.exe? Just manually replace the file with the latest version? Are there any potential issues that could arise from doing this?
Thanks for any help.
Apr 24 2023 10:17 AM
Solution@PalmerEldritch Daniel Stenberg the main developer behind cURL has addressed this in a blog post here - https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/
The TLDR is that manually modifying files inside the system folder is not supported and may cause future updates to fail. Microsoft has supposably shipped an updated cURL.exe in the April 2023 Cumulative. Update - are you still seeing a vulnerable version with the latest updates installed?
Apr 25 2023 12:11 AM
Apr 25 2023 01:47 PM
Oct 24 2023 05:06 PM
Do not try to update system32/curl.exe or delete it. It will cause issues with the OS including preventing it from updating. Contact Microsoft Security Response Center. This is the first time I have ever seen an OS vendor not update a critical vulnerability in the OS.
https://msrc.microsoft.com/report/vulnerability
We are giving Microsoft a specific amount of time to address this vulnerability and after a specific amount of time we will contact the CISA here (generally 45 days).
While the vulnerability has already been verified by the vendor, the problem here is that the vendor Danial Stenberg has released new versions regularly to address vulnerabilities. Microsoft has made it an integral part of the OS and has not kept it updated along with the advisories and Stenberg's patch cadence.
https://www.kb.cert.org/vuls/report/
Apr 24 2023 10:17 AM
Solution@PalmerEldritch Daniel Stenberg the main developer behind cURL has addressed this in a blog post here - https://daniel.haxx.se/blog/2023/04/24/deleting-system32curl-exe/
The TLDR is that manually modifying files inside the system folder is not supported and may cause future updates to fail. Microsoft has supposably shipped an updated cURL.exe in the April 2023 Cumulative. Update - are you still seeing a vulnerable version with the latest updates installed?