Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22398
HistorySep 02, 2009 - 12:00 a.m.

Vulnerable MSVC++ runtime distributed with OpenOffice.org 3.1.1 for Windows

2009-09-0200:00:00
vulners.com
19
JSON

The just released latest version of OpenOffice.org 3.1.1 for Windows
distributes (once again) a completely outdated and vulnerable MSVC++
runtime.

The unpacked installation archive contains in subdirectory \REDIST\
the installer of the "Microsoft Visual C++ 2008 Redistributable",
VCRedist_x86.exe, time stamp 2009-01-19, version 9.0.21022.8.

This file was digitally signed by "Microsoft Corporation" on 2007-11-07,
i.e. it contains the initial release of the VC++ 2008 runtime.

This runtime but has been updated serveral times since its first
release, the last update was published just a month ago: see
<http://support.microsoft.com/kb/973551/en-us&gt; as well as
<http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx&gt;,
for the current version and
<http://www.microsoft.com/downloads/details.aspx?FamilyID=9b2da534-3e03-4391-8a4d-074b9f2bc1bf&gt;
as well as
<http://www.microsoft.com/downloads/details.aspx?FamilyID=a5c84275-3b97-4ab7-a40d-3802b2af5fc2&gt;
for the previous updates.

Fortunately the eventually installed outdated VC++ runtime will be
updated by the "Automatic Updates" feature of Windows with the hotfix
MS09-035 alias KB973551, IFF the Windows administrator has opt'd-in
to "Microsoft Update".
If not, all users of OpenOffice.org (as well as other poorly crafted
software which distributes outdated 3rd-party DLLs) are put at risk!

Stefan Kanthak

JSON