> Timeline > ~~~~~~~~ > 2012-08-24 informed vendor support > 2012-09-24 no reaction/reply from vendor support, report published Dell security is a joke. In the past, I even tried to call support when emails went unanswered. The call center responded by dropping the call (three times).
On Mon, Sep 24, 2012 at 5:57 AM, Stefan Kanthak <[email protected]> wrote: > Hi @ll > > the current version of Dell's Data Protection | Access (DDPA) software for > Windows (Build 2.2.00003.008 from 2012-06-14, released August 2012) contains > and installs several outdated, superfluous and vulnerable Windows system > components as well as outdated and vulnerable 3rd party components and > drivers. > > <http://www.dell.com/support/drivers/uk/en/ukdhs1/DriverDetails?driverId=KPCWG> > > >From the readme.txt: > > | Dell Data Protection | Access (DDP|A) is an integrated end point security > | management suite, providing for seamless data security and authentication. > | It allows you to authenticate using a fingerprint, smartcard, contactless > | smartcard or password. Pre-Windows can be configured to unlock > self-encrypting > | drives upon authentication. > > > The outdated, superfluous and vulnerable components (incomplete): > > #1. "Microsoft MSXML Parser.msi" version 6.0 from 2005-09-09 > > All versions of Windows supported by DDP|A include a newer version > of MSXML 6.0, the latest update/security fix cf. > <http://technet.microsoft.com/en-us/security/bulletin/ms12-043> > > > #2. "Microsoft Root Certificate Update October 2010\rootsupd.exe" > > The current Microsoft root certificate update is from April 2012, > cf. <http://support.microsoft.com/kb/931125> > > > #3. "Microsoft Visual Studio Runtimes\vcredist_x86.exe" > version 9.0.30729.17 from 2008-08-08 > > For the current Microsoft Visual C++ 2008 Redistributable Package > cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> > > > #4. "Microsoft CCID Smartcard Reader for XP\usbccid.sys" > version 5.2.3790.2444 from 2005-05-17 > > The installer package for DDP|A but includes the hotfix > "WindowsXP-KB967048-v2-x86-ENU.exe" with the current version of > this driver: 5.2.3790.4476, 2009-03-17 > > > #5. "AuthenTec AES2810 Fingerprint Reader\AT8MinFoose.msi" > version 8.4.4.39 from 2012-02-02 > > Cf. > <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/> > > > #6. "UPEK TouchChip Fingerprint Reader\UPEK_Touchchip.msi" > version 5.9.4.6685 from 2010-09-15 > > Cf. > <http://blog.crackpassword.com/2012/08/upek-fingerprint-readers-a-huge-security-hole/> > > This driver package contains parts of OpenSSL (no version specified), > it installs a textfile "OpenSSL license" from 2006-06-14! > So: add OpenSSL to the list of vulnerable components too. > > > #7. "UPEK TouchChip Fingerprint Reader PBA Support\spba.msi" > version 5.9.4.6901 from 2010-??-?? > > This package contains a vulnerable MSVCRT+ 2005 runtime (version > 8.0.50727.762) > > Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> > > This driver package contains parts of OpenSSL (no version specified), > it installs a textfile "OpenSSL license" from 2006-06-14! > So: add OpenSSL to the list of vulnerable components too. > > > #8. "Preboot Manager.msi" version 03.02.00.119 from 2011-12-06 > by Wave Systems Corp. > > This package contains a vulnerable MSXML 4.0 SP2 (version 4.20.9818.0 > from 2003-04-18). > Cf. <http://technet.microsoft.com/en-us/security/bulletin/ms12-043> > > This package contains a VTAPI.DLL (version 5.6.0.3239 from 2006-11-13) > from UPEK Inc. (see #6 and #7 above) which contains parts of OpenSSL. > So: yet another component with vulnerable OpenSSL code. > > JFTR: no textfile with the "OpenSSL license" included here. > > > #9. "NTRU CryptoSystems TCG Software Stack\NTRU-CTSS-v1.2.1.37-eu.msi" > version 1.2.1.37 from 2011-10-08 > by NTRU CryptoSystems Inc. > > This package contains a vulnerable MSVCRT++ 2010 (version 10.0.30319.1 > from 2010-03-18), cf. > <http://technet.microsoft.com/en-us/security/bulletin/ms11-025> > > > ... and more (I stopped counting)! > > > Dell Inc.: Don't you have any QA? Can't afford one? > UPEK Inc.: Don't you have any QA? Can't afford one? > Wave Corp.: Don't you have any QA? Can't afford one? > NTRU Inc.: Don't you have any QA? Can't afford one? > > What about just a little bit of serious software engineering and due > diligence in your development, build and production processes? > > It's a stupid idea to build security software from vulnerable components! > > > Stefan Kanthak > > > Timeline > ~~~~~~~~ > > 2012-08-24 informed vendor support > > 2012-09-24 no reaction/reply from vendor support, report published > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > The information transmitted in this message and its attachments (if any) is > intended only for the person or entity to which it is addressed. > > The message may contain confidential and/or privileged material. Any review, > retransmission, dissemination or other use of, or taking of any action in > reliance upon this information, by persons or entities other than the > intended recipient is prohibited. > > If you have received this in error, please contact the sender and delete this > e-mail and associated material from any computer. > > The intended recipient of this e-mail may only use, reproduce, disclose or > distribute the information contained in this e-mail and any attached files, > with the permission of the sender. > > This message has been scanned for viruses. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
