Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Essential PIM 4.22: MANY vulnerabilities in 3rd party libraries

From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Fri, 17 Jun 2011 02:17:09 +0200
Hi @ll,

the current version of Essential PIM 4.22, available at
<http://www.astonsoft.com/epim_download/EssentialPIMPort4.zip>
with HTTP timestamp "Wed, 15 Jun 2011 13:20:12 GMT", comes with
VULNERABLE and COMPLETELY outdated 3rd party runtime libraries!


1. libeay32.dll and ssleay32.dll of OpenSSL 0.9.8i, from 2008-09-15

   updated 8 times due to fixed vulnerabilities, current release is
   0.9.8r; see <http://openssl.org/news/> and
   <http://openssl.org/news/vulnerabilities.html>


2. msvcrt80.dll version 8.0.50727.42, from 2005-09-23

   updated at least twice due to fixed vulnerabilities; see
   <http://support.microsoft.com/kb/973544>,
   <http://support.microsoft.com/kb/969706> and
   <http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx>
   plus
   <http://support.microsoft.com/kb/2467175>,
   <http://support.microsoft.com/kb/2500212> and
   <http://www.microsoft.com/technet/security/bulletin/MS11-025.mspx>.

   For general guidelines see <http://support.microsoft.com/kb/326922>


3. gds32.dll of FirebirdSQL 2.1.2.18118, from 2009-02-28

   updated at least once due to fixed vulnerabilities, current
   release is 2.1.4; see <http://firebirdsql.org/>


4. icudt30.dll and icuuc30.dll 3.0.0.0, from 2009-02-27

   updated quite some times and superseded with version 4 due to
   fixed vulnerabilities:
   CVE-2007-4770    CVE-2007-4771    CVE-2008-1036    CVE-2009-0153 

   current release is 4.8; see <http://site.icu-project.org/>


5. hunspelldll.dll <unknown version>, from 2009-06-26

   current release is 1.3.1; see <http://hunspell.sourceforge.net/>


It needs REAL chuzpe to build and distribute software with those
vulnerable and outdated libraries (and most probably a vulnerable
and outdated development environment too).


Timeline:

2011-05-28  vulnerability report sent to vendor after release of v4.21

2011-05-30  vendor reply:
            "We'll update them in the next version. Thanks for notice."

2011-06-15  vendor releases v4.22 with EXACT the same vulnerable libraries
            already included in v4.21
            vendor obviously doesn't care about security at all!

2011-06-17  vulnerability report published


Stefan Kanthak
Previous By Date Next
Previous By Thread Next

Current thread: