Hi @ll, <http://www.emclient.com/dist/latest/setup.msi>, an e-mail client for Windows, distributed with SoftMaker Office 2010 Professional for example, contains and installs the following deprecated and VULNERABLE Microsoft Visual C++ 2008 Runtime DLLs:
- msvcm9032File -> MSVCM90.DLL version 9.0.21022.8 from 2007-11-07 - msvcm9064File -> MSVCM90.DLL version 9.0.21022.8 from 2007-11-07 - msvcr9032File -> MSVCR90.DLL version 9.0.21022.8 from 2007-11-07 - msvcr9064File -> MSVCR90.DLL version 9.0.21022.8 from 2007-11-07 These DLLs have been updated several times since 2007-11-07, for their current version cf. <http://support.microsoft.com/kb/2467174>, <http://support.microsoft.com/kb/2538243> and <http://technet.microsoft.com/security/bulletin/MS11-025> To make things worse: instead of using the redistributable MSVC++ 2008 runtime eM Client makes another mistake and installs these libraries below the applications directory, where they are NOT detected by Windows Update Agent and thus never get updated to their current or any future fixed versions. Cf. <http://support.microsoft.com/kb/835322> Timeline: ~~~~~~~~~ 2012-10-02 vendor informed no reaction from vendor 2012-11-02 report published Stefan Kanthak _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
