AOH :: HP Unsorted O :: VA1843.HTM

Outdated and vulnerable OpenSource libraries used in "Deutsche Telekom" home banking software



Outdated and vulnerable OpenSource libraries used in "Deutsche Telekom" home banking software
Outdated and vulnerable OpenSource libraries used in "Deutsche Telekom" home banking software



The "Deutsche Telekom" resp. their "T-Online" branch offer their
own home banking software for Windows under
 
The current release is version 7.00.0004 from 2008-03-17.


This software is but insecure; it installs and uses:

- the libraries LIBEAY32.DLL and SSLEAY32.DLL of the completely
  outdated, unsupported and vulnerable OpenSSL 0.9.6g from
2002-08-19 (see ); 

- the library LIBCURL.DLL of the outdated, unsupported and
  vulnerable cURL 7.14.1 from 2005-09-05 (see
); 

- the libraries xerces-c_2_6.dll and xerces-depdom_2_6.dll of
  the outdated and unsupported Xerces 2.6 (see
 as well as 
); 

- the library CM32L7.DLL of vendor "combit GmbH" which has been
  built with a completely outdated, unsupported and vulnerable
ZLIB (see ); 

- an SSL certifikate container CAcerts.pem with an expired
  certificate (Validity: not after "Feb 23 23:59:00 2006 GMT");
  Two other certificates will expire next week, and another two
  more in three weeks.


To put the icing on the cake:

- the software installs without any error message on Windows 2000,
  although it needs Windows XP or Windows Vista to run (see
), and 
  fails to start with error message "Library UXTHEME.DLL missing"
  after successful installation.


The vendor has been informed via its own hotline, its own CERT, its
press spokesman for security (the "Deutsche Telekom" is member of
the german initiative "Sicher im Netz", see
) and its 
security officer, both per mail and phone (where available).


Response(s): NONE
Reaction(s): NONE


Stefan Kanthak

PS:  
    states that this software has been evaluated by TUeV Saarland and
    got their label "TUeV Saarland: Gepruefte Home-Banking Software".
    Whatever they checked: it wasn't the security of this software!


The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.