This is quite a sad story and also a perfect example of the ignorance or maybe arrogance of many software vendors. I’ve reported the Buffer Overflow vulnerability to the vendor named “Photodex” and also received an answer, which sounds like they start to work on the issue:

but then…I did not receive any further messages. Absolutely nothing. After a while I decided to publish the issue the usual ways and noticed them again about the issue including a direct link to the Full-Disclosure Mailinglist.

The answer ? Quite a funny one (am I talking to a bot ?!?!):

In the meanwhile some cool guys over at Metasploit have created a working exploit for their framework, which allows to exploit the issue on all actual operating systems (Windows XP SP3 / Windows 7 SP1 (default)). Good work guys – I like your work 😉 !

Photodex released two further updates bringing the ProShow Producer to version 5.0.3280 including the same vulnerability which they did not touch during the update process:

And by the way: You may also have noticed the price of the ProShow Producer software as stated on their website:

Full version from $249.95

They sell their software for about 250 bucks per license but do not even care about their product security and therefor customer security?! Now you can simply throw the money out of the next window or buy another product from a more security-aware company. May the force be with you 🙂 !

ProShow Producer still vulnerable after two updates!
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.