[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Essential PIM 4.22: MANY vulnerabilities in 3rd party libraries

Hi @ll,

the current version of Essential PIM 4.22, available at
with HTTP timestamp "Wed, 15 Jun 2011 13:20:12 GMT", comes with
VULNERABLE and COMPLETELY outdated 3rd party runtime libraries!

1. libeay32.dll and ssleay32.dll of OpenSSL 0.9.8i, from 2008-09-15

   updated 8 times due to fixed vulnerabilities, current release is
   0.9.8r; see <http://openssl.org/news/> and

2. msvcrt80.dll version 8.0.50727.42, from 2005-09-23

   updated at least twice due to fixed vulnerabilities; see
   <http://support.microsoft.com/kb/969706> and
   <http://support.microsoft.com/kb/2500212> and

   For general guidelines see <http://support.microsoft.com/kb/326922>

3. gds32.dll of FirebirdSQL, from 2009-02-28

   updated at least once due to fixed vulnerabilities, current
   release is 2.1.4; see <http://firebirdsql.org/>

4. icudt30.dll and icuuc30.dll, from 2009-02-27

   updated quite some times and superseded with version 4 due to
   fixed vulnerabilities:
   CVE-2007-4770    CVE-2007-4771    CVE-2008-1036    CVE-2009-0153 

   current release is 4.8; see <http://site.icu-project.org/>

5. hunspelldll.dll <unknown version>, from 2009-06-26

   current release is 1.3.1; see <http://hunspell.sourceforge.net/>

It needs REAL chuzpe to build and distribute software with those
vulnerable and outdated libraries (and most probably a vulnerable
and outdated development environment too).


2011-05-28  vulnerability report sent to vendor after release of v4.21

2011-05-30  vendor reply:
            "We'll update them in the next version. Thanks for notice."

2011-06-15  vendor releases v4.22 with EXACT the same vulnerable libraries
            already included in v4.21
            vendor obviously doesn't care about security at all!

2011-06-17  vulnerability report published

Stefan Kanthak