Skip to content

AD2051: CheckMinimumLibraryVersions

Summary

Property Value
ID AD2051
Name CheckMinimumLibraryVersions
Category Security
Severity Warning
Applies to PE (Windows)

Description

PE binaries should link against minimum versions of system libraries that include important security fixes.

How It Works

The rule checks:

  1. Version requirements in the import table
  2. Manifest requirements for DLL versions
  3. Known minimum versions for security features

Why This Matters

Older library versions may lack critical security features or contain known vulnerabilities.

Critical Library Versions

Library Minimum Version Security Feature
msvcrt VS 2015+ /GS improvements
kernel32 Windows 8+ CFG support
ntdll Windows 10+ Enhanced ASLR
ucrtbase 10.0.17763+ Security fixes

Version-Gated Security

Feature Requires
Control Flow Guard Windows 8.1+
High-entropy ASLR Windows 8+
CET Shadow Stack Windows 10 20H1+
Export Suppression Windows 10 RS3+

Compatibility Trade-offs

Target Security Reach
Windows 7 Limited Wider
Windows 10 Better Narrower
Windows 11 Best Newest

Runtime Manifest

<dependency>
  <dependentAssembly>
    <assemblyIdentity
      type="win32"
      name="Microsoft.Windows.Common-Controls"
      version="6.0.0.0"/>
  </dependentAssembly>
</dependency>

Resolution

Target minimum OS versions that support required security features:

# Set minimum Windows version
add_definitions(-D_WIN32_WINNT=0x0A00)  # Windows 10

# Link against modern runtime
set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$<CONFIG:Debug>:Debug>DLL")

Visual Studio Settings

<!-- In project file -->
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<PlatformToolset>v143</PlatformToolset>