Full Disclosure mailing list archives
Vulnerable MSVC++ runtime distributed with LibreOffice 5.0.0 for Windows
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Wed, 5 Aug 2015 22:26:53 +0200
Hi @ll, the just released latest version 5.0.0.5 of LibreOffice.org for Windows distributes (once again) a completely outdated and vulnerable MSVC++ runtime. The installer package LibreOffice_5.0.0_Win_x86.msi contains the files msvcp80.dll 8.0.50727.42 msvcr80.dll 8.0.50727.42 Microsoft.VC80.CRT.manifest 8.0.50727.42 of the initial/RTM release of the MSVC++ Runtime 2005. These DLLs have been updated serveral times since their initial release: <https://support.microsoft.com/kb/919588> <https://support.microsoft.com/kb/923610> <https://support.microsoft.com/kb/932391> <https://support.microsoft.com/kb/932392> <https://support.microsoft.com/kb/954695> <https://support.microsoft.com/kb/969706> <https://technet.microsoft.com/security/ms09-035> <https://support.microsoft.com/kb/973544> <https://support.microsoft.com/kb/973882> <https://support.microsoft.com/kb/2467175> <https://support.microsoft.com/kb/2500212> <https://technet.microsoft.com/security/ms11-025> <https://support.microsoft.com/kb/2538242> For general guidelines see <https://support.microsoft.com/kb/326922> Since the libraries are installed in the application's own directory they are NOT detected by "Windows Update Agent" (or tools like "Secunia Personal Inspector") and are therefore NOT updated via Windows/Microsoft update! This is a well known problem, see <https://support.microsoft.com/kb/835322>, but apparently LibreOffice.org doesn't seem to care! I reported this error SEVERAL times in the past, for example see <http://seclists.org/fulldisclosure/2009/Sep/0> JFTR: Windows Vista and later include NEWER versions of these DLLs, there is absolutely no need to redistribute an ancient version in your product at all (especially after Windows XP and 2003 have reached end-of-life)! stay tuned Stefan Kanthak _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Vulnerable MSVC++ runtime distributed with LibreOffice 5.0.0 for Windows Stefan Kanthak (Aug 06)