1688689 - Enterprise 3.1 installs versions of MS09.DLL and VBE6.DLL which expose known security vulnerabilities

• When installing BusinessObjects Enterprise 3.1 to a Windows system where MS09.DLL and VBE6.DLL are not already present, the installer uses versions of these DLLs which are associated with known security vulnerabilities.
• Microsoft provides patches for these vulnerabilities, but they are built to be installed on top of a full install of Microsoft Office.  Because Enterprise does not install a full version of Microsoft Office, these patches are not effective here.

• SAP BusinessObjects Enterprise XI 3.1

Further information and details below:

MSO9.DLL
version 9.0.0.3821
Known security vulnerabilities referenced at the below links:
http://support.microsoft.com/kb/950183
http://technet.microsoft.com/en-us/security/bulletin/ms07-025
http://technet.microsoft.com/en-us/security/bulletin/ms07-015
http://technet.microsoft.com/en-us/security/bulletin/ms06-048

VBE6.DLL
version 6.0.86.67
Known security vulnerabilities referenced at the below links:
http://technet.microsoft.com/en-us/security/bulletin/MS10-031
http://support.microsoft.com/kb/978213

The specific vulnerabilities and information regarding them are as follows:
CVE-2006-3649 : http://technet.microsoft.com/en-us/security/bulletin/ms06-047
CVE-2006-3434 : http://technet.microsoft.com/en-us/security/bulletin/ms06-062
CVE-2006-3650 : http://technet.microsoft.com/en-us/security/bulletin/ms06-062
CVE-2006-3864 : http://technet.microsoft.com/en-us/security/bulletin/ms06-062
CVE-2006-3868 : http://technet.microsoft.com/en-us/security/bulletin/ms06-062

xi3 xi3.1 ADAPT 01616657 1616657 ADAPT01616658 , KBA , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , BI-BIP-ADM , BI Servers, security, Crystal Reports in Launchpad , Bug Filed