While the detail is satisfying, I think this could all be filed under a single CVE entitled "Almost all Windows software ships outdated MSVC and other Microsoft runtime components in direct contravention of the license."
I gave up trying to report this sort of thing back with Dropbox, years ago, when I pointed out that possibly Python 2.5 wasn't the best version to ship with the Windows client. To their credit, one of the developers blew me off within scant minutes, which is an almost unprecedented response time for security issues. Still, if you're interested in outdated MSVC components, I suggest Cyberlink PowerDVD ( http://www.cyberlink.com/products/powerdvd-ultra/features_en_US.html ). On my last examination, it shipped multiple, internally redundant versions of MSVC6, 7, 8, and 9. It probably includes oudated MSVC10 DLLs by now, too. PS: Most applications seem to include thoroughly outdated Windows components for extra credit; such as UNICOWS.DLL--very common--or old DirectX components. I'm reasonably certain that redistributing core Windows DLLs has always been in contravention of the Windows licenses. On 2013-07-10 17:21:48 (+0200), Stefan Kanthak wrote: > Hi @ll, > > the current Adobe Reader 11.0.03 installs the following VULNERABLE (3rd > party) > components: _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
