lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 10 Jul 2013 16:41:20 -0400
From: sec <sec@...tsploit.me>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: VULNERABLE (3rd party) components in Adobe
 Reader 11.0.03, and dangling reference to Acrobat.exe

While the detail is satisfying, I think this could all be filed under a
single CVE entitled "Almost all Windows software ships outdated MSVC and
other Microsoft runtime components in direct contravention of the
license."

I gave up trying to report this sort of thing back with Dropbox, years
ago, when I pointed out that possibly Python 2.5 wasn't the best version
to ship with the Windows client. To their credit, one of the developers
blew me off within scant minutes, which is an almost unprecedented
response time for security issues.

Still, if you're interested in outdated MSVC components, I suggest
Cyberlink PowerDVD (
http://www.cyberlink.com/products/powerdvd-ultra/features_en_US.html ).
On my last examination, it shipped multiple, internally redundant
versions of MSVC6, 7, 8, and 9. It probably includes oudated MSVC10 DLLs
by now, too.


PS: Most applications seem to include thoroughly outdated Windows
components for extra credit; such as UNICOWS.DLL--very common--or old
DirectX components. I'm reasonably certain that redistributing core
Windows DLLs has always been in contravention of the Windows licenses.

On 2013-07-10 17:21:48 (+0200), Stefan Kanthak wrote:
> Hi @ll,
> 
> the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd
> party)
> components:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ