lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <7343EE015F9143CEB2A71811617A090C@localhost>
Date: Sat, 26 Jun 2010 16:29:29 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Nuance OmniPage 16 Professional installs multiple
	vulnerable Microsoft runtime libraries

Nuance Communications, Inc. offer on their german web page
<http://www.nuance.de/kostenlose-ocr-software-test/download.asp>
a trial version of OmniPage 16 Professional for download.

The installer OPPro16_TD.exe (a self-extracting RAR archive) was
published "Tue, 30 Jun 2009 14:38:28 GMT" (according to its HTTP
time stamp), unpacking reveals a BUILD.ID "OP-0861-035-7563.1134"
with time stamp "Tue, 17 Jun 2008 09:51:32".

After installation on a fully patched Windows XP with Service Pack 3
the following vulnerable Microsoft runtime libraries are found:

1. %SystemRoot%\SYSTEM32\GDIPLUS.DLL 5.1.3097 2001-06-15 21:00

   GDIPLUS.DLL has been patched several times since 2001, see
   <http://www.microsoft.com/technet/security/bulletin/MS08-052.mspx>
   or <http://support.microsoft.com/kb/954593/en-us> for the current
   version, 5.1.3102.5581 (XP SP3) or 5.1.3102.3352 (XP SP2).

   MALUS #1:
     since GDIPLUS.DLL is part of the OS in Windows XP and installed
     in its side-by-side cache a 3rd party vendor MUST NOT install a
     GDIPLUS.DLL into the system directory.
     See <http://support.microsoft.com/kb/835322/en-us> and
     <http://msdn.microsoft.com/en-us/library/ms995328.aspx>

   MALUS #2:
     the current version was available when the installer was published!


2. %SystemRoot%\SYSTEM32\CAPICOM.DLL 2.0.0.1 2003-10-28 12:24

   CAPICOM.DLL has been patched several times since 2003, see
   <http://www.microsoft.com/technet/security/bulletin/MS07-028.mspx>
   or <http://support.microsoft.com/kb/931906/en-us> for the current
   version, 2.1.0.2.

   MALUS #1:
     the installer is brain-dead, it overwrites a newer version of
     CAPICOM.DLL if this already exists in %SystemRoot%\SYSTEM32\!

   MALUS #2:
     the current version was available when the installer was built!

   MALUS #3:
     the installer does not detect a properly installed current
     version of CAPICOM.DLL in its default location
     "%ProgramFiles%\Microsoft CAPICOM 2.1.0.2\Lib\X86\CAPICOM.DLL".

     Registration of the older library over the newer one creates a
     mess with the registered interfaces which will lead to arbitrary
     program errors in applications that use interfaces which had
     been registered by the newer CAPICOM.DLL when called after
     interfaces now registered by the older CAPICOM.DLL.


3. %SystemRoot%\SYSTEM32\MSXML4.DLL  40.10.9404.0 2002-04-02 02:52
   %SystemRoot%\SYSTEM32\MSXML4R.DLL 40.10.9404.0 2002-04-02 02:43

   This is MSXML 4 Service Pack 1, which has been updated several
   times since 2002, see
   <http://www.microsoft.com/technet/security/bulletin/MS08-069.mspx>
   or <http://support.microsoft.com/kb/954430/en-us> as well as
   <http://support.microsoft.com/kb/973685/en-us> for the current
   version, MSXML 4 Service Pack 3.

   MALUS #1:
     the installer is brain-dead, it overwrites newer versions of
     MSXML4*.DLL if these already exist in %SystemRoot%\SYSTEM32\!

   MALUS #2:
     although the current version was not available when the installer
     was published, a newer version than included was available when
     the installer was built, see
     <http://www.microsoft.com/downloads/details.aspx?familyid=3144B72B-B4F2-46DA-B4B6-C5D7485F2B42&displaylang=en>



Timeline:

2010-06-07  vendor informed per mail (multiple recipients)

2010-06-08  several automatic delivery receipts

2010-06-16  no human reply; 2nd try, vendor informed again

2010-06-17  human reply, promising to forward to responsible team

2010-06-26  no reaction; disclosure


Who cares about software engineering and the build process at Nuance?
Who cares about security of customer systems at Nuance?


Stefan Kanthak

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ