Community
AutoCAD Forum
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Autodesk® AutoCAD® Code Execution Vulnerability – Security Hotfix

7 REPLIES 7
Reply
Message 1 of 8
guyh
1276 Views, 7 Replies

Autodesk® AutoCAD® Code Execution Vulnerability – Security Hotfix

I have seen this hotfix for what seems to be a pretty serious issue within dwg files.  I have downloaded the exe and ran this on a 32bit XP machine but once extracted the update fails to run.  I have also tried this on a Win 7 64bit machine which resulted in explorer crashing.  

 

http://usa.autodesk.com/adsk/servlet/ps/dl/item?siteID=123112&id=21972896&linkID=9240618

 

Can we have to information on this please AutoDesk?  

 

Guy

AutoCADM 2011 SP2
Inventor Pro 2011 SP2
7 REPLIES 7
Message 2 of 8
tony_csogroup
in reply to: guyh

The script states that it will restart Explorer. But sometimes it doesn't. But the patch has installed.

 

It should also work when TrueView is installed, but it doesn't. Get a script error.

Anthony Russell
LinkedIn
Message 3 of 8
m_latz
in reply to: guyh

This hotfix is a self-extracting 7-zip file. After extracting to %temp% folder the self-extractor calls the included vbs files.

You can view the vbs files in notepad++ or notepad.

 

In principle the hotfix updates the files AdApplicationFrame.dll, AcSignCore16.dll and acdb19.dll.

 

You can search for the files on your ProgramFiles Folders (and x86) and substitute manually.

 

The hotfix also changes in the registry the path for the AcSignCore16.dll file.

 

But on a 64-Bit OS the 32-Bit (Wow6432Node) change is wrong. Because the Hotfix changes the path to a location were the AcSignCore16.dll file under some circumstances does not exist. I.e. if you have installed only AutoCAD 2013 or AutoCAD Mechanical 2013 or AutoCAD Electrical 2013 the AcSignCore16.dll file is not located in C:\Program Files (x86)\Common Files\Autodesk Shared.

 

If Inventor 2013 is installed the registry change works correct.

 

I've also tested, that not all versions of the 3 files are updated. I.e. the acdb19.dll in the Inventor Fusion installation was not updated after applying the hotfix.

 

So I recommend to manually update the files and manually update the registry. Take a look to the Hotfix.vbs file and you know what to do.

 

Message 4 of 8
m_latz
in reply to: m_latz

One addition which is not 100% correct in my previous post.

 

That not all acdb19.dll versions are updated is intended. In the hotfix.vbs macro is a "conversion table" were it is defined which version is updated to which version.

 

But the problem with the wrong updated registry path exists.

Message 5 of 8
OBERDACKER
in reply to: m_latz

I don't know if I should reply to this post or create an entire new one.  I'll try this first.

Is there a way to tell if the hotfix has been applied?  The install code runs and then the desktop shows up again and that's all I ever see.  there is no message of any kind that is displayed indicating the hotfix was successful or not. On occasion I have seen an error message.  When this displayes the desktop icons do not show up again.  I am assuming this is because Windows Explorer does not properly restart. To get the icons and task bar to show up again I have to log off and log back on to Windows.  Once I've done this I have no idea if the hotfix has been completely applied, partially applied, or not applied at all.  I run the hotfix again to be sure. 

I have forty-five machines to keep updated.  If I forget to note I've run the hotfix on one I have to assume it has not been run.  We have Interns who come and go and AutoCAD is not always removed from the machine before the next Intern starts.  Does the hotfix need to be applied to every Windows profile?   

On a related note.  If the hotfix is applied and then service pack 2 for AutoCAD 2013 is installed does the hotfix need to be applied again?  Or at all?

I wish the documentation from Autodesk regarding this hotfix would have been thorough enough to answer these questions or, at the very least, allow me to figure out the answers for myself.

Message 6 of 8
m_latz
in reply to: OBERDACKER

As written earlier, the hotfix is a self-extracting 7-zip file. So you can download 7-zip and open to take a look at the "Hotfix.vbs" file contained in the 7-zip archive. There you can investigate everything.

 

 Also the hotfix creates a logfile in the %temp% folder of the executing user with the name "BufferOverrunHotfix.log".

 

There you can check what the hotfix does on your computer.

 

Hope that helps.

 

regards

 

Markus

Message 7 of 8
OBERDACKER
in reply to: m_latz

I did see your earlier post.  I extracted the files and noticed it created a log file but, apparently didn't look hard enough to notice where it put that log file.  I'll just copy the log file for my records and I'll be set.  Thanks for your help and sorry I didn't realize this before posting.  Still it would be nice to have the log file mentioned in the documentation instead of me having to search the discussion groups.  I'm glad I found your post though and thanks again for the help.

Message 8 of 8
m_latz
in reply to: OBERDACKER

no problem 🙂

Can't find what you're looking for? Ask the community or share your knowledge.

Post to forums  

Autodesk Design & Make Report

”Boost