BugTraq
Vulnerable, superfluous/outdated/deprecated/superseded 3rd party OCXs and DLLs distributed by and installed with Dataram RamDisk 4.0.0 Nov 06 2012 03:41PM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

the recently released RamDisk 4.0.0 from Dataram Inc.,
<http://memory.dataram.com/products-and-services/software/ramdisk>
(formerly known as Cenatek RamDisk) comes with several vulnerable and
some superfluous as well as outdated/deprecated/superseded 3rd party
OCXs and DLLs from Microsoft.

1. TABCTL32.OCX version 6.1.97.82 from 2004-03-09
COMDLG32.OCX version 6.1.97.82 from 2004-07-14
MSCOMCT2.OCX version 6.1.97.82 from 2004-03-08
MSCOMCTL.OCX version 6.1.98.18 from 2009-12-19

are all vulnerable, deprecated and have been superseded several
times since their release.
Cf. <http://support.microsoft.com/kb/957924>,
<http://support.microsoft.com/kb/926857> and
<http://technet.microsoft.com/security/bulletin/MS08-070>,
<http://support.microsoft.com/kb/2641426>,
<http://support.microsoft.com/kb/2664258> and
<http://technet.microsoft.com/security/bulletin/MS12-027>,
<http://support.microsoft.com/kb/2708437> and
<http://technet.microsoft.com/security/bulletin/MS12-060>

Additionally these files are installed in the applications directory,
not the Windows "System" directory.

This prevents Windows Update from detecting and updating vulnerable
and deprecated/superseded libraries (and fixing YOUR errors) now, and
in the future too.
Cf. <http://support.microsoft.com/kb/835322>

To make things even worse, these application-local installed OCX are
registered system-global, overwriting the existing registration of
the current versions of these OCX installed elsewhere, and thus
propagate their vulnerabilities and errors to any other application
using these OCX.

2. COMCAT.DLL version 4.71.1460.1 from 1999-06-01
OLEAUT32.DLL version 2.40.4275.1 from 1999-03-08
OLEAUT32.DLL version 2.40.4275.1 from 2000-04-12
OLEPRO32.DLL version 5.0.4275.1 from 1999-03-08
STDOLE2.TLB version 2.40.4275.1 from 1999-06-03

are all superfluous, outdated/deprecated/superseded and vulnerable too.

Cf. <http://support.microsoft.com/kb/2476490> and
<http://technet.microsoft.com/security/bulletin/MS11-038>

Additionally these files are part of ALL supported Windows versions
and MUST NOT be redistributed since Windows 2000!

Cf. <http://msdn.microsoft.com/en-us/library/4kbye0ax.aspx>

| If these DLLs are not available in the target system, you need to
| get them updated through the PRESCRIBED mechanism for updating the
~~~~~~~~~~
| corresponding operating system.

or cf. <http://support.microsoft.com/kb/831491>

| Remove the commonly redistributed system files from the setup
| package

3. MSVBVM60.DLL version 6.0.97.82 from 2004-02-23

is superfluous and outdated/deprecated/superseded.

A newer version of this file is part of ALL supported Windows
versions!
Cf. <http://support.microsoft.com/kb/314720>

Timeline:
~~~~~~~~~

2010-06-28 vendor informed (for v3.5.20 of their "product")

no reaction from vendor

2012-10-06 vendor informed (for v4.0.0 of their "product")

no reaction from vendor

2012-11-06 report published

Recommendation:
~~~~~~~~~~~~~~~

Stay away from products of vendors/companies who dont follow even the
most basic principles of software engineering!

Stefan Kanthak

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus