Hi @ll, the recently released RamDisk 4.0.0 from Dataram Inc., <http://memory.dataram.com/products-and-services/software/ramdisk> (formerly known as Cenatek RamDisk) comes with several vulnerable and some superfluous as well as outdated/deprecated/superseded 3rd party OCXs and DLLs from Microsoft. 1. TABCTL32.OCX version 6.1.97.82 from 2004-03-09 COMDLG32.OCX version 6.1.97.82 from 2004-07-14 MSCOMCT2.OCX version 6.1.97.82 from 2004-03-08 MSCOMCTL.OCX version 6.1.98.18 from 2009-12-19 are all vulnerable, deprecated and have been superseded several times since their release. Cf. <http://support.microsoft.com/kb/957924>, <http://support.microsoft.com/kb/926857> and <http://technet.microsoft.com/security/bulletin/MS08-070>, <http://support.microsoft.com/kb/2641426>, <http://support.microsoft.com/kb/2664258> and <http://technet.microsoft.com/security/bulletin/MS12-027>, <http://support.microsoft.com/kb/2708437> and <http://technet.microsoft.com/security/bulletin/MS12-060> Additionally these files are installed in the applications directory, not the Windows "System" directory. This prevents Windows Update from detecting and updating vulnerable and deprecated/superseded libraries (and fixing YOUR errors) now, and in the future too. Cf. <http://support.microsoft.com/kb/835322> To make things even worse, these application-local installed OCX are registered system-global, overwriting the existing registration of the current versions of these OCX installed elsewhere, and thus propagate their vulnerabilities and errors to any other application using these OCX. 2. COMCAT.DLL version 4.71.1460.1 from 1999-06-01 OLEAUT32.DLL version 2.40.4275.1 from 1999-03-08 OLEAUT32.DLL version 2.40.4275.1 from 2000-04-12 OLEPRO32.DLL version 5.0.4275.1 from 1999-03-08 STDOLE2.TLB version 2.40.4275.1 from 1999-06-03 are all superfluous, outdated/deprecated/superseded and vulnerable too. Cf. <http://support.microsoft.com/kb/2476490> and <http://technet.microsoft.com/security/bulletin/MS11-038> Additionally these files are part of ALL supported Windows versions and MUST NOT be redistributed since Windows 2000! Cf. <http://msdn.microsoft.com/en-us/library/4kbye0ax.aspx> | If these DLLs are not available in the target system, you need to | get them updated through the PRESCRIBED mechanism for updating the ~~~~~~~~~~ | corresponding operating system. or cf. <http://support.microsoft.com/kb/831491> | Remove the commonly redistributed system files from the setup | package 3. MSVBVM60.DLL version 6.0.97.82 from 2004-02-23 is superfluous and outdated/deprecated/superseded. A newer version of this file is part of ALL supported Windows versions! Cf. <http://support.microsoft.com/kb/314720> Timeline: ~~~~~~~~~ 2010-06-28 vendor informed (for v3.5.20 of their "product") no reaction from vendor 2012-10-06 vendor informed (for v4.0.0 of their "product") no reaction from vendor 2012-11-06 report published Recommendation: ~~~~~~~~~~~~~~~ Stay away from products of vendors/companies who dont follow even the most basic principles of software engineering! Stefan Kanthak
