Hi @ll, the OpenLimit reader ( and ), an application aimed to provide security by validating X.509 signatures and signing PDFs inside Adobe Reader, contains completely outdated, superfluous and vulnerable components, which comprise 40% (SIC!) of the whole installation package! JFTR: the downloadable self-extracting setup program "OLReader2502_DE.exe" as well as the contained files (SETUP.EXE, SCSetup\WS*.DLL) are all signed with an X.509 certificate valid until 2012-05-26T23:59:59Z. Fortunately some wise guy but missed to time-stamp the signed files, Windows treats the signature as invalid since 2012-05-27T00:00:00Z.-P According to it's manufacturer, this application supports Windows 2000 and later versions. The self-extracting setup program "OLReader2502_DE.exe" extracts the following 3rd party files (ALL are updates/installers from Microsoft) into "%TEMP%\SignCubesInstall": INSTMSI.EXE 12.0.2600.2 from 2002-02-19 the installation package of "Microsoft Installer 2.0". A newer version of Microsoft installer is part of ALL supported versions of Windows, this package MUST NOT be run there; cf. ! INSTMSIW.EXE 6.0.2448.0 from 2002-02-19 the installation package of "Microsoft Installer 2.0" for the unsupported platforms Windows 9x/ME! OUT128.EXE 5.5.3131.1 from 2000-12-02 a superseded patch for the unsupported Outlook 2000. SCBASE_D.EXE 4.71.1015.0 from 1998-04-17 a superseded patch for the unsupported platforms Windows NT4 and Windows 9x for the installation of the "Microsoft Win32 Smart Card Base Components v1.0". A newer version of this component is part of ALL supported versions of Windows! ATL.MSI a superseded installer, containing two outdated and vulnerable ATL.DLL 3.0.8449.0 from 2000-11-02 for the unsupported platforms Windows NT4 and Windows 9x. A newer version of this file is part of ALL supported versions of Windows and MUST NOT be redistributed or installed there; cf. ! COMCAT.MSI (TOTALLY superfluous, since contained in other *.MSI too!) a superseded installer, containing the outdated and vulnerable COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platform Windows NT4. A newer version of this file is part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! COMCT232.MSI (TOTALLY superfluous, since contained in other *.MSI too!) a superseded installer, containing the outdated and vulnerable COMCT232.OCX 6.0.80.22 from 1998-06-24 OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! COMCT332.MSI a superseded installer, containing the outdated and vulnerable COMCT332.OCX 6.7.0.8988 from 2000-12-06 OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! COMCTL32.MSI a superseded installer, containing the outdated and vulnerable COMCTL32.OCX 6.0.81.5 from 2000-05-23 OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! COMDLG32.MSI a superseded installer, containing the outdated and vulnerable COMDLG32.OCX 6.0.84.18 from 2000-05-23 OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! MFC42.MSI a superseded installer, containing the outdated and vulnerable MFC42.DLL 6.0.8665.0 from 2000-04-06 MSVCRT.DLL 6.0.8797.0 from 2000-04-06 OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! MSCOMCT2.MSI (replaced the older COMCT232.MSI!) a superseded installer, containing the outdated and vulnerable COMCT232.OCX 6.0.88.4 from 2000-05-23 OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! MSCOMCTL.MSI a superseded installer, containing the outdated and vulnerable MSCOMCTL.OCX 6.0.88.62 from 2000-05-23 OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! MSVBVM60.MSI a superseded installer, containing the outdated and vulnerable MSVBVM60.DLL 6.0.89.64 from 2000-11-08 OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 COMCAT.DLL 4.71.1460.1 from 1998-12-09 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! MSVCIRT.MSI a superseded installer, containing the outdated and vulnerable MSVCRT.DLL 6.0.8797.0 from 2000-04-06 MSVCIRT.DLL 6.0.8168.0 from 2000-04-06 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! MSVCP60.MSI a superseded installer, containing the outdated and vulnerable MSVCRT.DLL 6.0.8797.0 from 2000-04-06 MSVCP60.DLL 6.0.8972.0 from 2000-08-29 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! MSVCRT.MSI (TOTALLY superfluous, since contained in other *.MSI too!) a superseded installer, containing the outdated and vulnerable MSVCRT.DLL 6.0.8797.0 from 2000-04-06 for the unsupported platforms Windows NT4 and Windows 9x. A newer version of this file is part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! OLEAUT32.MSI (TOTALLY superfluous, since contained in other *.MSI too!) a superseded installer, containing the outdated and vulnerable OLEAUT32.DLL 2.40.4275.1 from 2000-04-12 ASYCFILT.DLL 2.40.4275.1 from 1999-03-08 OLEPRO32.DLL 5.0.4275.1 from 1999-03-08 STDOLE2.TLB 2.40.4275.1 from 2000-03-28 for the unsupported platforms Windows NT4 and Windows 9x. Newer versions of these files are part of ALL supported versions of Windows and MUST NOT be redistributed or installed there! Fortunately the "Windows File Protection" fixes most of the damage done by the installation of this piece of crap^W^W^Wwell engineered software and restores the overwritten system files. On Windows 5.x the following overwritten registry entries are but NOT fixed: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35200-8F91-11CE-9DE3-00AA004BB851}\InProcServer32] @="C:\\WINDOWS\\system32\\MFC42.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35201-8F91-11CE-9DE3-00AA004BB851}\InProcServer32] @="C:\\WINDOWS\\system32\\MFC42.DLL" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35202-8F91-11CE-9DE3-00AA004BB851}\InProcServer32] @="C:\\WINDOWS\\system32\\MFC42.DLL" MFC42.DLL is the ANSI version of this system DLL, suitable for Windows 9x/ME. Windows NT* but needs the UNICODE version of this DLL, named MFC42U.DLL. As result, UNICODE programs which use MFC42.DLL will fail! To complete the sad story: before the installation ALL system DLLs were registered with their fully qualified pathnames and were not vulnerable to "binary planting" attacks ( and ). After the installation, the Windows installation was vulnerable again (modulo the "Known DLLs"): [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InProcServer] @="ole2disp.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InProcServer] @="ole2disp.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InProcServer] @="ole2disp.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InProcServer] @="ole2disp.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InProcServer] @="ole2disp.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InProcServer] @="ole2disp.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InProcServer32] @="oleaut32.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InProcServer32] @="oleaut32.dll" Stefan Kanthak Timeline: 2012-05-19 vendor informed ... no reaction until 2012-06-25 report published