lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <A382BE6E527A4B38B7808382E5CB921C@W340>
Date: Wed, 5 Aug 2015 22:26:53 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: "bugtraq" <bugtraq@...urityfocus.com>
Cc: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: Vulnerable MSVC++ runtime distributed with LibreOffice 5.0.0 for Windows

Hi @ll,

the just released latest version 5.0.0.5 of LibreOffice.org for Windows
distributes (once again) a completely outdated and vulnerable MSVC++
runtime.

The installer package LibreOffice_5.0.0_Win_x86.msi contains the files

    msvcp80.dll 8.0.50727.42
    msvcr80.dll 8.0.50727.42
    Microsoft.VC80.CRT.manifest 8.0.50727.42

of the initial/RTM release of the MSVC++ Runtime 2005.

These DLLs have been updated serveral times since their initial release:
<https://support.microsoft.com/kb/919588>
<https://support.microsoft.com/kb/923610>
<https://support.microsoft.com/kb/932391>
<https://support.microsoft.com/kb/932392>
<https://support.microsoft.com/kb/954695>
<https://support.microsoft.com/kb/969706>
<https://technet.microsoft.com/security/ms09-035>
<https://support.microsoft.com/kb/973544>
<https://support.microsoft.com/kb/973882>
<https://support.microsoft.com/kb/2467175>
<https://support.microsoft.com/kb/2500212>
<https://technet.microsoft.com/security/ms11-025>
<https://support.microsoft.com/kb/2538242>

For general guidelines see <https://support.microsoft.com/kb/326922>

Since the libraries are installed in the application's own directory
they are NOT detected by "Windows Update Agent" (or tools like
"Secunia Personal Inspector") and are therefore NOT updated via
Windows/Microsoft update!

This is a well known problem, see <https://support.microsoft.com/kb/835322>,
but apparently LibreOffice.org doesn't seem to care!
I reported this error SEVERAL times in the past, for example see
<http://seclists.org/fulldisclosure/2009/Sep/0>

JFTR: Windows Vista and later include NEWER versions of these DLLs,
      there is absolutely no need to redistribute an ancient version
      in your product at all (especially after Windows XP and 2003
      have reached end-of-life)!

stay tuned
Stefan Kanthak

Powered by blists - more mailing lists