[Full-disclosure] Nuance OmniPage 16 Professional installs multiple vulnerable Microsoft runtime libraries
- From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
- Date: Sat, 26 Jun 2010 16:29:29 +0200
Nuance Communications, Inc. offer on their german web page
a trial version of OmniPage 16 Professional for download.
The installer OPPro16_TD.exe (a self-extracting RAR archive) was
published "Tue, 30 Jun 2009 14:38:28 GMT" (according to its HTTP
time stamp), unpacking reveals a BUILD.ID "OP-0861-035-7563.1134"
with time stamp "Tue, 17 Jun 2008 09:51:32".
After installation on a fully patched Windows XP with Service Pack 3
the following vulnerable Microsoft runtime libraries are found:
1. %SystemRoot%\SYSTEM32\GDIPLUS.DLL 5.1.3097 2001-06-15 21:00
GDIPLUS.DLL has been patched several times since 2001, see
or <http://support.microsoft.com/kb/954593/en-us> for the current
version, 5.1.3102.5581 (XP SP3) or 5.1.3102.3352 (XP SP2).
since GDIPLUS.DLL is part of the OS in Windows XP and installed
in its side-by-side cache a 3rd party vendor MUST NOT install a
GDIPLUS.DLL into the system directory.
See <http://support.microsoft.com/kb/835322/en-us> and
the current version was available when the installer was published!
2. %SystemRoot%\SYSTEM32\CAPICOM.DLL 22.214.171.124 2003-10-28 12:24
CAPICOM.DLL has been patched several times since 2003, see
or <http://support.microsoft.com/kb/931906/en-us> for the current
the installer is brain-dead, it overwrites a newer version of
CAPICOM.DLL if this already exists in %SystemRoot%\SYSTEM32\!
the current version was available when the installer was built!
the installer does not detect a properly installed current
version of CAPICOM.DLL in its default location
"%ProgramFiles%\Microsoft CAPICOM 126.96.36.199\Lib\X86\CAPICOM.DLL".
Registration of the older library over the newer one creates a
mess with the registered interfaces which will lead to arbitrary
program errors in applications that use interfaces which had
been registered by the newer CAPICOM.DLL when called after
interfaces now registered by the older CAPICOM.DLL.
3. %SystemRoot%\SYSTEM32\MSXML4.DLL 40.10.9404.0 2002-04-02 02:52
%SystemRoot%\SYSTEM32\MSXML4R.DLL 40.10.9404.0 2002-04-02 02:43
This is MSXML 4 Service Pack 1, which has been updated several
times since 2002, see
or <http://support.microsoft.com/kb/954430/en-us> as well as
<http://support.microsoft.com/kb/973685/en-us> for the current
version, MSXML 4 Service Pack 3.
the installer is brain-dead, it overwrites newer versions of
MSXML4*.DLL if these already exist in %SystemRoot%\SYSTEM32\!
although the current version was not available when the installer
was published, a newer version than included was available when
the installer was built, see
2010-06-07 vendor informed per mail (multiple recipients)
2010-06-08 several automatic delivery receipts
2010-06-16 no human reply; 2nd try, vendor informed again
2010-06-17 human reply, promising to forward to responsible team
2010-06-26 no reaction; disclosure
Who cares about software engineering and the build process at Nuance?
Who cares about security of customer systems at Nuance?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Prev by Date: [Full-disclosure] Chrome and Safari users open to stealth HTML5 Application Cache attack
- Next by Date: Re: [Full-disclosure] Chrome and Safari users open to stealth HTML5 Application Cache attack
- Previous by thread: [Full-disclosure] Chrome and Safari users open to stealth HTML5 Application Cache attack
- Next by thread: [Full-disclosure] IS-2010-004 - D-Link DAP-1160 Unauthenticated Remote Configuration