Vulnerable, superfluous/outdated/deprecated/superseded 3rd party OCXs and DLLs distributed by and installed with Dataram RamDisk 4.0.0

["Stefan Kanthak" <stefan.kanthak () nexgo de>]

Hi @ll,

the recently released RamDisk 4.0.0 from Dataram Inc.,
<http://memory.dataram.com/products-and-services/software/ramdisk>
(formerly known as Cenatek RamDisk) comes with several vulnerable and
some superfluous as well as outdated/deprecated/superseded 3rd party
OCXs and DLLs from Microsoft.

1. TABCTL32.OCX   version 6.1.97.82 from 2004-03-09
   COMDLG32.OCX   version 6.1.97.82 from 2004-07-14
   MSCOMCT2.OCX   version 6.1.97.82 from 2004-03-08
   MSCOMCTL.OCX   version 6.1.98.18 from 2009-12-19

   are all vulnerable, deprecated and have been superseded several
   times since their release.
   Cf. <http://support.microsoft.com/kb/957924>,
   <http://support.microsoft.com/kb/926857> and
   <http://technet.microsoft.com/security/bulletin/MS08-070>,
   <http://support.microsoft.com/kb/2641426>,
   <http://support.microsoft.com/kb/2664258> and
   <http://technet.microsoft.com/security/bulletin/MS12-027>,
   <http://support.microsoft.com/kb/2708437> and
   <http://technet.microsoft.com/security/bulletin/MS12-060>


   Additionally these files are installed in the applications directory,
   not the Windows "System" directory.

   This prevents Windows Update from detecting and updating vulnerable
   and deprecated/superseded libraries (and fixing YOUR errors) now, and
   in the future too.
   Cf. <http://support.microsoft.com/kb/835322>


   To make things even worse, these application-local installed OCX are
   registered system-global, overwriting the existing registration of
   the current versions of these OCX installed elsewhere, and thus
   propagate their vulnerabilities and errors to any other application
   using these OCX.


2. COMCAT.DLL     version 4.71.1460.1 from 1999-06-01
   OLEAUT32.DLL   version 2.40.4275.1 from 1999-03-08
   OLEAUT32.DLL   version 2.40.4275.1 from 2000-04-12
   OLEPRO32.DLL   version 5.0.4275.1  from 1999-03-08
   STDOLE2.TLB    version 2.40.4275.1 from 1999-06-03

   are all superfluous, outdated/deprecated/superseded and vulnerable too.

   Cf. <http://support.microsoft.com/kb/2476490> and
   <http://technet.microsoft.com/security/bulletin/MS11-038>


   Additionally these files are part of ALL supported Windows versions
   and MUST NOT be redistributed since Windows 2000!

   Cf. <http://msdn.microsoft.com/en-us/library/4kbye0ax.aspx>

   | If these DLLs are not available in the target system, you need to
   | get them updated through the PRESCRIBED mechanism for updating the
                                  ~~~~~~~~~~
   | corresponding operating system. 

   or cf. <http://support.microsoft.com/kb/831491>

   | Remove the commonly redistributed system files from the setup
   | package


3. MSVBVM60.DLL   version 6.0.97.82 from 2004-02-23

   is superfluous and outdated/deprecated/superseded.

   A newer version of this file is part of ALL supported Windows
   versions!
   Cf. <http://support.microsoft.com/kb/314720>




Timeline:
~~~~~~~~~


2010-06-28    vendor informed (for v3.5.20 of their "product")

              no reaction from vendor

2012-10-06    vendor informed (for v4.0.0 of their "product")

              no reaction from vendor

2012-11-06    report published


Recommendation:
~~~~~~~~~~~~~~~

Stay away from products of vendors/companies who dont follow even the
most basic principles of software engineering!


Stefan Kanthak

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/