lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <07023033776445C4B1014A5E9F806910@localhost>
Date: Fri, 2 Nov 2012 14:18:11 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Subject: Vulnerable MSVC++ 2008 runtime libraries distributed with and installed by eM client

Hi @ll,

<http://www.emclient.com/dist/latest/setup.msi>, an e-mail client
for Windows, distributed with SoftMaker Office 2010 Professional
for example, contains and installs the following deprecated and
VULNERABLE Microsoft Visual C++ 2008 Runtime DLLs:

- msvcm9032File  ->  MSVCM90.DLL version 9.0.21022.8 from 2007-11-07
- msvcm9064File  ->  MSVCM90.DLL version 9.0.21022.8 from 2007-11-07
- msvcr9032File  ->  MSVCR90.DLL version 9.0.21022.8 from 2007-11-07
- msvcr9064File  ->  MSVCR90.DLL version 9.0.21022.8 from 2007-11-07

These DLLs have been updated several times since 2007-11-07, for their
current version cf. <http://support.microsoft.com/kb/2467174>,
<http://support.microsoft.com/kb/2538243> and
<http://technet.microsoft.com/security/bulletin/MS11-025>


To make things worse: instead of using the redistributable MSVC++ 2008
runtime eM Client makes another mistake and installs these libraries
below the applications directory, where they are NOT detected by Windows
Update Agent and thus never get updated to their current or any future
fixed versions.
Cf. <http://support.microsoft.com/kb/835322>


Timeline:
~~~~~~~~~

2012-10-02    vendor informed

              no reaction from vendor

2012-11-02    report published


Stefan Kanthak

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ