lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 31 Aug 2009 18:42:53 +0200
From: "Stefan Kanthak" <>
To: <>, <>
Cc: <>,
	"Microsoft Security Response Center" <>
Subject: Vulnerable MSVC++ runtime distributed with 3.1.1 for Windows

The just released latest version of 3.1.1 for Windows
distributes (once again) a completely outdated and vulnerable MSVC++

The unpacked installation archive contains in subdirectory \REDIST\
the installer of the "Microsoft Visual C++ 2008 Redistributable",
VCRedist_x86.exe, time stamp 2009-01-19, version 9.0.21022.8.

This file was digitally signed by "Microsoft Corporation" on 2007-11-07,
i.e. it contains the initial release of the VC++ 2008 runtime.

This runtime but has been updated serveral times since its first
release, the last update was published just a month ago: see
<> as well as
for the current version and
as well as
for the previous updates.

Fortunately the eventually installed outdated VC++ runtime will be
updated by the "Automatic Updates" feature of Windows with the hotfix
MS09-035 alias KB973551, IFF the Windows administrator has opt'd-in
to "Microsoft Update".
If not, all users of (as well as other poorly crafted
software which distributes outdated 3rd-party DLLs) are put at risk!

Stefan Kanthak

Powered by blists - more mailing lists