Hi,

Exact Audio Copy (see <http://www.exactaudiocopy.de/>) V1.0 beta 3,
released 2011-09-11, installs the following OUTDATED, UNSUPPORTED
and VULNERABLE 3rd party components:

1. Microsoft SQL Server Compact 3.5 Service Pack 1:

| X:\>filever.exe /S "%ProgramFiles%\Exact Audio Copy\sqlce*.dll"
|        x:\program files\exact audio copy\sqlce*.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp    343,104 06-25-2008 sqlceca35.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp     84,544 06-25-2008 sqlcecompact35.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp    172,608 06-25-2008 sqlceoledb35.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp    644,160 06-25-2008 sqlceqp35.dll
| --a-- W32i   DLL ENU      3.5.5692.0 shp    348,224 06-25-2008 sqlcese35.dll

   Support end for SQL Server Compact 3.5 Service Pack 1 was on
   2011-06-29, see <http://support.microsoft.com/lifecycle/?p1=2855>

   Its supported successor, "Microsoft SQL Server Compact 3.5
   Service Pack 2 for Windows Desktop" is available since 2010-05-17,
   see <http://www.microsoft.com/en-us/download/details.aspx?id=5783>


2. From the REDIST.TXT included in the SQL Compact Edition:

| Private deployment of just the native stack and explicit loading
| of SQL Server Compact Assembly via Assembly.LoadFrom(), .local
| file, or the use of DLL/COM redirection strategies are not
| supported and may result in serviceability issues.
| For more information see http://support.microsoft.com/kb/835322
| and http://msdn2.microsoft.com/en-us/library/aa375142.aspx


3. MSVC++ 2005 runtime libraries 8.0.50727.4053:

| X:\>filever.exe /S "%ProgramFiles%\Exact Audio Copy\Microsoft.VC80.CRT"
|        x:\program files\exact audio copy\microsoft.vc80.crt\*.*
| --a--    -   -   -               -   -        455 12-07-2009 microsoft.vc80.crt.manifest
| --a-- W32i   DLL ENU  8.0.50727.4053 shp    632,656 07-12-2009 msvcr80.dll

   The current version of the MSVCRT++ 2005 runtime is available
   since 2011-04-11, see <http://support.microsoft.com/kb/2538243>
   alias <http://technet.microsoft.com/security/bulletin/ms11-025>

   JFTR: See <http://support.microsoft.com/kb/835322>

   When installed via the MSVCRT++ redistributable package,
   Windows Update but keeps this component up-to-date!


Stefan Kanthak


Timeline:
~~~~~~~~~

2013-08-06    informed developer

2013-08-06    developer replies:

              a. "EAC was released two months after the release of
                 the service pack"

              2011-09-11 is two months later than 2010-05-17?

              b. "EAC is written in Modula II and needs no MSVCRT++"

              The satellites used by EAC but need it!

              c. "EAC uses SQL Compact DLLs from Microsoft, which
                 request the exact library version in their manifest
                 (Visual Studio 8 enforces this). Since I use the 
                 latest SQL Compact Installation I had to include the
                 corresponding MSVCRT++ DLLs"

              Really?
              - the manifests of the sqlce*35.dlls refer to version
                8.0.50608.0
              - Visual Studio does not enforce anything in a manifest
              - see <http://msdn.microsoft.com/library/aa375680.aspx>!
              - the latest SQL Compact Edition is NOT used, see above
              - the "corresponding DLLs" version 8.0.50608.0 are NOT
                included

              d. "what does 'application local' mean?"

              OUCH!
              Obviously, the developer has no clue how manifests and
              "side-by-side" installations work and didnt notice the
              contents of REDIST.TXT

2013-08-07    replied with all the details
              
2013-08-07    developer replies: "write your own EAC"