mailing list archives
Essential PIM 4.22: MANY vulnerabilities in 3rd party libraries
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Fri, 17 Jun 2011 02:17:09 +0200
the current version of Essential PIM 4.22, available at
with HTTP timestamp "Wed, 15 Jun 2011 13:20:12 GMT", comes with
VULNERABLE and COMPLETELY outdated 3rd party runtime libraries!
1. libeay32.dll and ssleay32.dll of OpenSSL 0.9.8i, from 2008-09-15
updated 8 times due to fixed vulnerabilities, current release is
0.9.8r; see <http://openssl.org/news/> and
2. msvcrt80.dll version 8.0.50727.42, from 2005-09-23
updated at least twice due to fixed vulnerabilities; see
For general guidelines see <http://support.microsoft.com/kb/326922>
3. gds32.dll of FirebirdSQL 18.104.22.16818, from 2009-02-28
updated at least once due to fixed vulnerabilities, current
release is 2.1.4; see <http://firebirdsql.org/>
4. icudt30.dll and icuuc30.dll 22.214.171.124, from 2009-02-27
updated quite some times and superseded with version 4 due to
CVE-2007-4770 CVE-2007-4771 CVE-2008-1036 CVE-2009-0153
current release is 4.8; see <http://site.icu-project.org/>
5. hunspelldll.dll <unknown version>, from 2009-06-26
current release is 1.3.1; see <http://hunspell.sourceforge.net/>
It needs REAL chuzpe to build and distribute software with those
vulnerable and outdated libraries (and most probably a vulnerable
and outdated development environment too).
2011-05-28 vulnerability report sent to vendor after release of v4.21
2011-05-30 vendor reply:
"We'll update them in the next version. Thanks for notice."
2011-06-15 vendor releases v4.22 with EXACT the same vulnerable libraries
already included in v4.21
vendor obviously doesn't care about security at all!
2011-06-17 vulnerability report published
- Essential PIM 4.22: MANY vulnerabilities in 3rd party libraries Stefan Kanthak (Jun 17)