The "Deutsche Telekom" resp. their "T-Online" branch offer their own home banking software for Windows under <ftp://software.t-online.de/pub/service/banking/banking70.exe> The current release is version 7.00.0004 from 2008-03-17.
This software is but insecure; it installs and uses: - the libraries LIBEAY32.DLL and SSLEAY32.DLL of the completely outdated, unsupported and vulnerable OpenSSL 0.9.6g from 2002-08-19 (see <http://www.openssl.org/news/>); - the library LIBCURL.DLL of the outdated, unsupported and vulnerable cURL 7.14.1 from 2005-09-05 (see <http://curl.haxx.se/libcurl/>); - the libraries xerces-c_2_6.dll and xerces-depdom_2_6.dll of the outdated and unsupported Xerces 2.6 (see <http://xerces.apache.org/xerces-c/releases.html> as well as <http://xerces.apache.org/xerces-c/releases_archive.html>); - the library CM32L7.DLL of vendor "combit GmbH" which has been built with a completely outdated, unsupported and vulnerable ZLIB (see <http://zlib.net/>); - an SSL certifikate container CAcerts.pem with an expired certificate (Validity: not after "Feb 23 23:59:00 2006 GMT"); Two other certificates will expire next week, and another two more in three weeks. To put the icing on the cake: - the software installs without any error message on Windows 2000, although it needs Windows XP or Windows Vista to run (see <http://service.t-online.de/c/12/70/32/44/12703244.html>), and fails to start with error message "Library UXTHEME.DLL missing" after successful installation. The vendor has been informed via its own hotline, its own CERT, its press spokesman for security (the "Deutsche Telekom" is member of the german initiative "Sicher im Netz", see <https://www.sicher-im-netz.de/wir_ueber_uns/146.aspx>) and its security officer, both per mail and phone (where available). Response(s): NONE Reaction(s): NONE Stefan Kanthak PS: <http://service.t-online.de/c/12/70/85/92/12708592.html> states that this software has been evaluated by TUeV Saarland and got their label "TUeV Saarland: Gepruefte Home-Banking Software". Whatever they checked: it wasn't the security of this software! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/