The "Deutsche Telekom" resp. their "T-Online" branch offer their
own home banking software for Windows under
<ftp://software.t-online.de/pub/service/banking/banking70.exe>
The current release is version 7.00.0004 from 2008-03-17.
This software is but insecure; it installs and uses:
the libraries LIBEAY32.DLL and SSLEAY32.DLL of the completely
outdated, unsupported and vulnerable OpenSSL 0.9.6g from
2002-08-19 (see <http://www.openssl.org/news/>);
the library LIBCURL.DLL of the outdated, unsupported and
vulnerable cURL 7.14.1 from 2005-09-05 (see
<http://curl.haxx.se/libcurl/>);
the libraries xerces-c_2_6.dll and xerces-depdom_2_6.dll of
the outdated and unsupported Xerces 2.6 (see
<http://xerces.apache.org/xerces-c/releases.html> as well as
<http://xerces.apache.org/xerces-c/releases_archive.html>);
the library CM32L7.DLL of vendor "combit GmbH" which has been
built with a completely outdated, unsupported and vulnerable
ZLIB (see <http://zlib.net/>);
an SSL certifikate container CAcerts.pem with an expired
certificate (Validity: not after "Feb 23 23:59:00 2006 GMT");
Two other certificates will expire next week, and another two
more in three weeks.
To put the icing on the cake:
The vendor has been informed via its own hotline, its own CERT, its
press spokesman for security (the "Deutsche Telekom" is member of
the german initiative "Sicher im Netz", see
<https://www.sicher-im-netz.de/wir_ueber_uns/146.aspx>) and its
security officer, both per mail and phone (where available).
Response(s): NONE
Reaction(s): NONE
Stefan Kanthak
PS: <http://service.t-online.de/c/12/70/85/92/12708592.html>
states that this software has been evaluated by TUeV Saarland and
got their label "TUeV Saarland: Gepruefte Home-Banking Software".
Whatever they checked: it wasn't the security of this software!