Message-Id: <1373488880.30567.140661254199978.55F3B82A@webmail.messagingengine.com>
Date: Wed, 10 Jul 2013 16:41:20 -0400
From: sec <sec@...tsploit.me>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: VULNERABLE (3rd party) components in Adobe
 Reader 11.0.03, and dangling reference to Acrobat.exe

While the detail is satisfying, I think this could all be filed under a
single CVE entitled "Almost all Windows software ships outdated MSVC and
other Microsoft runtime components in direct contravention of the
license."

I gave up trying to report this sort of thing back with Dropbox, years
ago, when I pointed out that possibly Python 2.5 wasn't the best version
to ship with the Windows client. To their credit, one of the developers
blew me off within scant minutes, which is an almost unprecedented
response time for security issues.

Still, if you're interested in outdated MSVC components, I suggest
Cyberlink PowerDVD (
http://www.cyberlink.com/products/powerdvd-ultra/features_en_US.html ).
On my last examination, it shipped multiple, internally redundant
versions of MSVC6, 7, 8, and 9. It probably includes oudated MSVC10 DLLs
by now, too.


PS: Most applications seem to include thoroughly outdated Windows
components for extra credit; such as UNICOWS.DLL--very common--or old
DirectX components. I'm reasonably certain that redistributing core
Windows DLLs has always been in contravention of the Windows licenses.

On 2013-07-10 17:21:48 (+0200), Stefan Kanthak wrote:
> Hi @ll,
> 
> the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd
> party)
> components:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists