The just released latest version of OpenOffice.org 3.1.1 for Windows distributes (once again) a completely outdated and vulnerable MSVC++ runtime. The unpacked installation archive contains in subdirectory \REDIST\ the installer of the "Microsoft Visual C++ 2008 Redistributable", VCRedist_x86.exe, time stamp 2009-01-19, version 9.0.21022.8. This file was digitally signed by "Microsoft Corporation" on 2007-11-07, i.e. it contains the initial release of the VC++ 2008 runtime. This runtime but has been updated serveral times since its first release, the last update was published just a month ago: see <http://support.microsoft.com/kb/973551/en-us> as well as <http://www.microsoft.com/technet/security/bulletin/MS09-035.mspx>, for the current version and <http://www.microsoft.com/downloads/details.aspx?FamilyID=9b2da534-3e03-4391-8a4d-074b9f2bc1bf> as well as <http://www.microsoft.com/downloads/details.aspx?FamilyID=a5c84275-3b97-4ab7-a40d-3802b2af5fc2> for the previous updates. Fortunately the eventually installed outdated VC++ runtime will be updated by the "Automatic Updates" feature of Windows with the hotfix MS09-035 alias KB973551, IFF the Windows administrator has opt'd-in to "Microsoft Update". If not, all users of OpenOffice.org (as well as other poorly crafted software which distributes outdated 3rd-party DLLs) are put at risk! Stefan Kanthak
