mailing list archives
Vulnerable MSVC++ 2008 runtime libraries distributed with and installed by Ogg DirectShow filters
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Wed, 3 Oct 2012 22:08:28 +0200
the Ogg DirectShow filters available from <http://www.xiph.org/dshow/>
are distributed with and install vulnerable MSVC++ 2008 runtime libraries
To make things worse, the vulnerable libraries are NOT installed as
side-by-side components below %SystemRoot%\WinSxS\, but as private
components in the applications directory, where they are not detected
and not updated by tools like Windows Update Agent or Secunia PSI.
Additionally, the installer places the 64-bit components into the
wrong path "%ProgramFiles(x86)%\Xiph.org\OpenCodecs\x64\".
Delete all MSVC?.DLL installed with the Ogg DirectShow filters
in "%ProgramFiles(x86)%\Xiph.org\OpenCodecs\" and
2010-05-23 informed maintainer about errors and problems in
2010-05-25 maintainer replied "will have a look"
2010-07-21 maintainer released version 0.84.17338
2010-07-21 informed maintainer about problems still not fixed
2011-01-12 maintainer released "current" version 0.85.17777
2012-03-08 asked maintainer for a fix for the vulnerable MSVCRT
2012-03-09 maintainer replied "planning update before easter"
2012-10-03 report published
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Vulnerable MSVC++ 2008 runtime libraries distributed with and installed by Ogg DirectShow filters Stefan Kanthak (Oct 04)