Home / vulnerabilities eM Client 4 Vulnerable Runtime DLLs
Posted on 03 November 2012
Source : packetstormsecurity.org Link
Hi @ll,
<http://www.emclient.com/dist/latest/setup.msi>, an e-mail client
for Windows, distributed with SoftMaker Office 2010 Professional
for example, contains and installs the following deprecated and
VULNERABLE Microsoft Visual C++ 2008 Runtime DLLs:
- msvcm9032File -> MSVCM90.DLL version 9.0.21022.8 from 2007-11-07
- msvcm9064File -> MSVCM90.DLL version 9.0.21022.8 from 2007-11-07
- msvcr9032File -> MSVCR90.DLL version 9.0.21022.8 from 2007-11-07
- msvcr9064File -> MSVCR90.DLL version 9.0.21022.8 from 2007-11-07
These DLLs have been updated several times since 2007-11-07, for their
current version cf. <http://support.microsoft.com/kb/2467174>,
<http://support.microsoft.com/kb/2538243> and
<http://technet.microsoft.com/security/bulletin/MS11-025>
To make things worse: instead of using the redistributable MSVC++ 2008
runtime eM Client makes another mistake and installs these libraries
below the applications directory, where they are NOT detected by Windows
Update Agent and thus never get updated to their current or any future
fixed versions.
Cf. <http://support.microsoft.com/kb/835322>
Timeline:
~~~~~~~~~
2012-10-02 vendor informed
no reaction from vendor
2012-11-02 report published
Stefan Kanthak
