BugTraq
Essential PIM 4.22: MANY vulnerabilities in 3rd party libraries Jun 17 2011 12:17AM
Stefan Kanthak (stefan kanthak nexgo de)
Hi @ll,

the current version of Essential PIM 4.22, available at
<http://www.astonsoft.com/epim_download/EssentialPIMPort4.zip>
with HTTP timestamp "Wed, 15 Jun 2011 13:20:12 GMT", comes with
VULNERABLE and COMPLETELY outdated 3rd party runtime libraries!

1. libeay32.dll and ssleay32.dll of OpenSSL 0.9.8i, from 2008-09-15

updated 8 times due to fixed vulnerabilities, current release is
0.9.8r; see <http://openssl.org/news/> and
<http://openssl.org/news/vulnerabilities.html>

2. msvcrt80.dll version 8.0.50727.42, from 2005-09-23

updated at least twice due to fixed vulnerabilities; see
<http://support.microsoft.com/kb/973544>,
<http://support.microsoft.com/kb/969706> and
<http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx>
plus
<http://support.microsoft.com/kb/2467175>,
<http://support.microsoft.com/kb/2500212> and
<http://www.microsoft.com/technet/security/bulletin/MS11-025.mspx>.

For general guidelines see <http://support.microsoft.com/kb/326922>

3. gds32.dll of FirebirdSQL 2.1.2.18118, from 2009-02-28

updated at least once due to fixed vulnerabilities, current
release is 2.1.4; see <http://firebirdsql.org/>

4. icudt30.dll and icuuc30.dll 3.0.0.0, from 2009-02-27

updated quite some times and superseded with version 4 due to
fixed vulnerabilities:
CVE-2007-4770 CVE-2007-4771 CVE-2008-1036 CVE-2009-0153

current release is 4.8; see <http://site.icu-project.org/>

5. hunspelldll.dll <unknown version>, from 2009-06-26

current release is 1.3.1; see <http://hunspell.sourceforge.net/>

It needs REAL chuzpe to build and distribute software with those
vulnerable and outdated libraries (and most probably a vulnerable
and outdated development environment too).

Timeline:

2011-05-28 vulnerability report sent to vendor after release of v4.21

2011-05-30 vendor reply:
"We'll update them in the next version. Thanks for notice."

2011-06-15 vendor releases v4.22 with EXACT the same vulnerable libraries
already included in v4.21
vendor obviously doesn't care about security at all!

2011-06-17 vulnerability report published

Stefan Kanthak

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus