Hi @ll the current version of Dell's Data Protection | Access (DDPA) software for Windows (Build 2.2.00003.008 from 2012-06-14, released August 2012) contains and installs several outdated, superfluous and vulnerable Windows system components as well as outdated and vulnerable 3rd party components and drivers. >From the readme.txt: | Dell Data Protection | Access (DDP|A) is an integrated end point security | management suite, providing for seamless data security and authentication. | It allows you to authenticate using a fingerprint, smartcard, contactless | smartcard or password. Pre-Windows can be configured to unlock self-encrypting | drives upon authentication. The outdated, superfluous and vulnerable components (incomplete): #1. "Microsoft MSXML Parser.msi" version 6.0 from 2005-09-09 All versions of Windows supported by DDP|A include a newer version of MSXML 6.0, the latest update/security fix cf. #2. "Microsoft Root Certificate Update October 2010\rootsupd.exe" The current Microsoft root certificate update is from April 2012, cf. #3. "Microsoft Visual Studio Runtimes\vcredist_x86.exe" version 9.0.30729.17 from 2008-08-08 For the current Microsoft Visual C++ 2008 Redistributable Package cf. #4. "Microsoft CCID Smartcard Reader for XP\usbccid.sys" version 5.2.3790.2444 from 2005-05-17 The installer package for DDP|A but includes the hotfix "WindowsXP-KB967048-v2-x86-ENU.exe" with the current version of this driver: 5.2.3790.4476, 2009-03-17 #5. "AuthenTec AES2810 Fingerprint Reader\AT8MinFoose.msi" version 8.4.4.39 from 2012-02-02 Cf. #6. "UPEK TouchChip Fingerprint Reader\UPEK_Touchchip.msi" version 5.9.4.6685 from 2010-09-15 Cf. This driver package contains parts of OpenSSL (no version specified), it installs a textfile "OpenSSL license" from 2006-06-14! So: add OpenSSL to the list of vulnerable components too. #7. "UPEK TouchChip Fingerprint Reader PBA Support\spba.msi" version 5.9.4.6901 from 2010-??-?? This package contains a vulnerable MSVCRT+ 2005 runtime (version 8.0.50727.762) Cf. This driver package contains parts of OpenSSL (no version specified), it installs a textfile "OpenSSL license" from 2006-06-14! So: add OpenSSL to the list of vulnerable components too. #8. "Preboot Manager.msi" version 03.02.00.119 from 2011-12-06 by Wave Systems Corp. This package contains a vulnerable MSXML 4.0 SP2 (version 4.20.9818.0 from 2003-04-18). Cf. This package contains a VTAPI.DLL (version 5.6.0.3239 from 2006-11-13) from UPEK Inc. (see #6 and #7 above) which contains parts of OpenSSL. So: yet another component with vulnerable OpenSSL code. JFTR: no textfile with the "OpenSSL license" included here. #9. "NTRU CryptoSystems TCG Software Stack\NTRU-CTSS-v1.2.1.37-eu.msi" version 1.2.1.37 from 2011-10-08 by NTRU CryptoSystems Inc. This package contains a vulnerable MSVCRT++ 2010 (version 10.0.30319.1 from 2010-03-18), cf. ... and more (I stopped counting)! Dell Inc.: Don't you have any QA? Can't afford one? UPEK Inc.: Don't you have any QA? Can't afford one? Wave Corp.: Don't you have any QA? Can't afford one? NTRU Inc.: Don't you have any QA? Can't afford one? What about just a little bit of serious software engineering and due diligence in your development, build and production processes? It's a stupid idea to build security software from vulnerable components! Stefan Kanthak Timeline ~~~~~~~~ 2012-08-24 informed vendor support 2012-09-24 no reaction/reply from vendor support, report published