Back to list
Vulnerable MSVC++ 2008 runtime libraries distributed with and installed by Ogg DirectShow filters
Oct 03 2012 08:08PM
Stefan Kanthak (stefan kanthak nexgo de)
the Ogg DirectShow filters available from <http://www.xiph.org/dshow/>
are distributed with and install vulnerable MSVC++ 2008 runtime libraries
To make things worse, the vulnerable libraries are NOT installed as
side-by-side components below %SystemRoot%\WinSxS\, but as private
components in the applications directory, where they are not detected
and not updated by tools like Windows Update Agent or Secunia PSI.
Additionally, the installer places the 64-bit components into the
wrong path "%ProgramFiles(x86)%\Xiph.org\OpenCodecs\x64\".
Delete all MSVC?.DLL installed with the Ogg DirectShow filters
in "%ProgramFiles(x86)%\Xiph.org\OpenCodecs\" and
2010-05-23 informed maintainer about errors and problems in
2010-05-25 maintainer replied "will have a look"
2010-07-21 maintainer released version 0.84.17338
2010-07-21 informed maintainer about problems still not fixed
2011-01-12 maintainer released "current" version 0.85.17777
2012-03-08 asked maintainer for a fix for the vulnerable MSVCRT
2012-03-09 maintainer replied "planning update before easter"
2012-10-03 report published
[ reply ]
Copyright 2010, SecurityFocus