[Full-disclosure] Vulnerable DLLs distributed with Terratec HomeCinema 6.3
stefan.kanthak at nexgo.de
Wed Jul 15 23:42:02 BST 2009
Once again a sad story of poor software "engineering", missing QA
and a TOTALLY unresponsive vendor.
The current version 6.3 of Terratec's TV software HomeCinema
from 2009-05-05 installs outdated and vulnerable .DLLs (the
test system used is a fully patched german Windows XP SP3):
1. Version 1.2.2 of ZLIB1.DLL is installed as
Current since 2005-07-18 is version 1.2.3 of ZLIB1.DLL
| Version 1.2.3 eliminates potential security vulnerabilities in
| zlib 1.2.1 and 1.2.2, so all users of those versions should
| *upgrade* *immediately*.
2. Version 5.1.3102.2180 of Microsoft's GDIPLUS.DLL is installed as
The current version of GDIPLUS.DLL for Windows XP SP3 is
5.1.3102.5512, which is already part of the system and installed
into Windows' side-by-side cache under "%SystemRoot%\WinSxS\"!
According the MSDN GDIPLUS.DLL MUST NOT be installed into
"%SystemRoot%\SYSTEM32\", and DLLs distributed with Windows
MUST NOT be redistributed by ISVs.
In addition see the MSFT security bulletin MS08-052
as well as the MSFT knowledge base article 954593
3. The DLLs of the current version of the component MSXML4 SP2 are
installed to "%SystemRoot%\SYSTEM32\".
This component is but not installed from the redistributable
package provided by Microsoft that ISVs have to use to meet the
legal mumbo-jumbo, instead Terratec choose to repackage the DLLs
into an NSIS installer, thus violating MSFTs redistribution
(Un)fortunately this NSIS installer is flawed and does not
perform all the necessary steps needed for a clean installation
of MSXML4 SP2, so Microsoft Update detects the MSXML4 SP2
installation as outdated/incomplete and fetches the current
patch installer (<http://support.microsoft.com/kb/954430/en-us>,
to repair it.
The best of all: MSXML4 is NOT referenced at all by the installed
application CynergyDVR.EXE, which but uses XMLLITE.DLL
4. A superfluous pthreadVC2.dll is installed as
PS: Tools like Secunia's PSI don't detect such outdated and
vulnerable DLLs. Admin beware!
2009-06-16 phone call with Terratec's hotline - they were unable
to take any action, but requested to send report per
2009-06-17 sent mail to Terratec - no response
2009-06-30 resent mail to Terratec - again no response
2009-07-16 report published
Full-Disclosure is hosted and sponsored by Secunia.