I have sp2 installed and got the update. Even though those links I read said it was not needed.
Nix
September 15th, 2004, 09:07 PM
Yeah that's what my link in this post was about http://discussions.virtualdr.com/showthread.php?s=&postid=863186#post863186
SuperSparks
September 15th, 2004, 09:08 PM
The Windows Hotfix for this does not take the usual form, it is in two parts. The second part takes you to a webpage that downloads an ActiveX control that checks other vulnerable apps. I discovered that if you download the .NET Framework SP1 update at the same time, which requires a reboot, then if you click yes to the reboot you'll lose the webpage part of the update. And it doesn't go into the browser history either for some reason.
Only use the link if you need it, as far as I'm aware you need the first part of the update to be installed first before you can use that ActiveX control.
And I, like Train, also found that despite what those articles say, Windows Update still offers the patch after Service Pack 2 is installed.
Train
September 15th, 2004, 09:13 PM
Definately do this update by its self.
Welshjim
September 15th, 2004, 09:18 PM
Went to Windows Update and surprisingly was told the update was available to me, even though the MSKB article says WinXP SP2 without Office does not need it.
"(Important Windows XP Service Pack 2 (SP2) is not affected by this issue. Windows XP SP2 users only need to update Office (if installed). )" I do not have Office.
So, being a good MS customer I downloaded it, anyway. More concerning I got message saying (best as I can remember) that I had some graphics on my PC that could pose a problem. So I followed the instructions and seeing nothing more specific, clicked the button on http://www.microsoft.com/security/bulletins/200409_jpeg_tool.mspx to scan for "Click for affected Imaging Software". After agreeing to a hold harmless paragraph, nothing happened, except that that link changed into a notice that
"This tool is designed for computers running Windows 2000 and earlier. Windows XP, Windows XP SP1, and Windows Server 2003 users may update their computers by visiting the Windows Update Web site."
Pretty circuitous.
Oh, Well. :rolleyes:
Nix
September 15th, 2004, 09:24 PM
I followed WelshJim's link on a WinNT machine and clicked the [Check for Affected Imaging Software] followed by agreeing to the agreement.
Thw window changed to say No affected imaging software was found on this computer
Welshjim
September 15th, 2004, 09:37 PM
Maybe I spoke too soon. There is another link (#4) below #3 which leads you to a list of software affected.
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
Since I have none of those I wonder why Windows Update offered the patch to me. (Actually I had seen that list earlier, and so did nothing to get the patch until Windows Update offered it.)
frebo
September 15th, 2004, 09:58 PM
got this reply also
--------------------------------------------------------------------------------
No affected imaging software was found on this computer
SuperSparks
September 15th, 2004, 10:02 PM
That ActiveX control to check affected imaging software is for versions of Windows other than WinXP or Server 2003 BTW. It doesn't work at all on XP, I tried it.
Nix
September 15th, 2004, 10:18 PM
Hmm from the list I can see that my hanging back with WinMe and Office2000 is now paying off. LOL
Train
September 15th, 2004, 10:36 PM
And the funny part is , a completely unpatched Office 2000 gets a clear OK. While the folks that have the Office updates get told to patch it. WIERD is right.
Nix
September 15th, 2004, 10:44 PM
That's me :D
Probably less that 10 Windows Updates installed and zero Office 2000 updates installed.
No firewall, just up to date NAV 2002 and Ad-Aware.
Seems the more secure you try to be the more at risk you seem to be ?
It's more challenging to break into Fort Knox than some small country bank in the back of beyond.
SuperSparks
September 17th, 2004, 04:22 PM
There's some interesting commentary here:
http://news.bbc.co.uk/1/hi/technology/3666702.stm
SuperSparks
September 17th, 2004, 04:38 PM
And if this is anything to go by, it won't be long to wait before this one is exploited:
http://www.theinquirer.net/?article=18510
Make sure that you are patched against this vulnerability, people.
Nix
September 17th, 2004, 08:51 PM
Originally posted by Welshjim
http://www.microsoft.com/security/bulletins/200409_jpeg_tool.mspx
Btw is it just me or does this only work in IE a not Firefox.
The button is greyed out in FF.
Tuttle
September 18th, 2004, 05:21 AM
It uses ActiveX to run code locally on your machine, so it requires IE.
SuperSparks
September 21st, 2004, 04:29 PM
And the first exploits are well under way, according to this:
http://www.theinquirer.net/?article=18585
WinXP users should seriously consider upgrading to SP2 IMO, enad everytone else should get patched. I think this is going to be a big one when it hits :(
104456
September 24th, 2004, 03:53 PM
For those paranoid folk there a GDI Scan tool (http://isc.sans.org/gdiscan.php) thats been produced for scanning all your applications to check if any are vulnerable ;)
gdiscan.exe was written for Windows 2000 and higher. It scans the drive containing the Windows %system% directory and Looks for vulnerable versions of gdiplus.dll, sxs.dll, wsxs.dll, mso.dll.
The scan starts upon execution. It will signal completion of scan in text box with "Done."
Vulnerable versions of the .dll files are listed in RED.
The path where a vulnerable .dll file is found is important. Remember that dlls are loaded in the following order (note: this is a VAST simplification):
The directory from which the application loaded.
The (application's) current directory.
Windows 95/98: The Windows system directory (default: C:\Windows\system)
Windows NT+: The 32-bit Windows system directory (default: C:\WinNT\System32)
Windows NT+: The 16-bit Windows system directory (default: C:\WinNT\System)
The Windows directory (default: C:\WinNT or C:\Windows)
The directories that are listed in the PATH environment variable
My suspicion is that MS added the code to allow backdoors into JPEG's to satisfy the DOJ's assault on pedophiles. That is purely a guess.
Welshjim
September 27th, 2004, 05:28 PM
Concerning http://www.microsoft.com/security/bulletins/200409_jpeg_tool.mspx
maybe this has been said already, but I am finally realizing that the above page is a diagnostic tool to tell you if you need the GDI+ security update. If Step 3 indicates no further action is needed, then so be it. If step 3 says you need the GDI+ security update, you will get instructions where to get it.
Since Windows Update offered this website to me, I assumed it was the GDI+ security fix, itself, which it isn't.
Vernon Frazee
September 29th, 2004, 06:18 AM
GDI+ JPEG exploit worse than first thought (http://discussions.virtualdr.com/showthread.php?threadid=173931)
Welshjim
September 29th, 2004, 01:37 PM
Vernon Frazee--So what are those who are not offered the GDI+ security update (since they do not run Office components) to do about the vulnerability in IE?
104456
September 29th, 2004, 03:12 PM
Or MS Works which also does not have a patch either :rolleyes:
DuaneB
September 29th, 2004, 09:59 PM
According to the Internet Storm Center at the SANS Institute, computers with updated versions of anti-virus software should be protected also.
Originally posted by DuaneB
According to the Internet Storm Center at the SANS Institute, computers with updated versions of anti-virus software should be protected also.From this one, until someone else creates another exploit for the same vuln and gets it out widely before the AV vendors catch up.
Antivirus software is a nice safety net, but it really can't be relied on as an alternative to patching.
Vernon Frazee--Thanks for the very informative references.
I have run the gdiscan and found five "vulnerable" versions of gdiplus.dll, two of which were in Microsoft files
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\I386\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
The new version from the SDK download is
5.1.3102.1360
Has anybody here actually replaced the "vulnerable" version with the new version? Systems still work? Always nice to learn from someone else's experience.
104456
September 30th, 2004, 01:19 PM
Just had the GDI scan note vulnerabilities in Works 7 and NSW2004 as below and replaced both with the patched version and all seems to be working.
C:\Program Files\Microsoft Works\gdiplus.dll
Version: 5.1.3079.3 <-- Vulnerable version [Works v 7]
C:\Program Files\Norton SystemWorks\Password Manager\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version [ NSW 2004]
C:\Program Files\Symantec\Web Tools\GDIPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version [NSW 2004]
DuaneB
September 30th, 2004, 01:21 PM
I ran the GDI scan from that tutorial this morning. I came up with a file at C:\WINDOWS\SYSTEM32\gdiplus.dll that I don't know what to do with. The tutorial says "that I need to visit the web site of this application and see if there is any update available." I don't know where at Microsoft I'm supposed to find an update for it (or what application it applies to).
Welshjim
September 30th, 2004, 08:54 PM
DuaneB--It is unfortunate that there are two threads on this subject. Your last post has been anticipated in the other thread. And I see the problems you have had.
http://discussions.virtualdr.com/showthread.php?s=&postid=868424#post868424
As far as learning what the other non-Microsoft applications are doing about the new gdiplus.dll, you have to go to their websites and see/ask. So far I have had no response.
DuaneB
September 30th, 2004, 08:57 PM
Thanks, Jim. I think there are actually three threads on this issue.
Vernon Frazee
October 1st, 2004, 09:09 AM
Originally posted by Welshjim
Vernon Frazee--So what are those who are not offered the GDI+ security update (since they do not run Office components) to do about the vulnerability in IE? Since IE is a Microsoft product, I'd try their http://windowsupdate.microsoft.com site first?
Vernon Frazee
October 1st, 2004, 09:11 AM
Originally posted by 104456
Or MS Works which also does not have a patch either :rolleyes: Since MSWorks is also a Microsoft product, I'd try their http://windowsupdate.microsoft.com site.
Vernon Frazee
October 1st, 2004, 09:13 AM
Originally posted by Welshjim
Has anybody here actually replaced the "vulnerable" version with the new version? Systems still work? Always nice to learn from someone else's experience. Yes, I have, on a new machine running Windows XP Home with SP2 applied. So far it's working fine.
Vernon Frazee
October 1st, 2004, 09:15 AM
Originally posted by DuaneB
I ran the GDI scan from that tutorial this morning. I came up with a file at C:\WINDOWS\SYSTEM32\gdiplus.dll that I don't know what to do with. The tutorial says "that I need to visit the web site of this application and see if there is any update available." I don't know where at Microsoft I'm supposed to find an update for it (or what application it applies to). I'd try http://windowsupdate.microsoft.com first and see if it recommends any critical updates.
104456
October 1st, 2004, 09:16 AM
Originally posted by Vernon Frazee
Since MSWorks is also a Microsoft product, I'd try their http://windowsupdate.microsoft.com site.
Been there Vernon they dont seem to offer many updates for older versions of Works its seems like Offices lost cousin :D
I ended up just replacing the file with that posted on the MS link you kindly provided.
Vernon Frazee
October 1st, 2004, 09:16 AM
Originally posted by DuaneB
Thanks, Jim. I think there are actually three threads on this issue. Yes, there are. Here are links to the other two:
Security News / Warnings / Updates > GDI+ JPEG exploit worse than first thought
http://discussions.virtualdr.com/showthread.php?threadid=173931
Windows XP > A new Critical Update is available
http://discussions.virtualdr.com/showthread.php?threadid=173155
Nothing on this at the Windows Update site as of a few minutes ago, and still no response from providers of non-Microsoft programs.
Welshjim
October 1st, 2004, 09:53 PM
One of the non-Microsoft program sites has replied that I should use the updated gdiplus.dll file from MS.
However, does anyone have a comment why a "vulnerable" gdiplus.dll file in the Program Files folder for a piece of hardware should mean that the PC is vulnerable to this security exploit? Especially when the gdiplus.dll files in the MS files, such as C:\I386, have been updated?
Vernon Frazee
October 2nd, 2004, 09:19 AM
Microsoft Security Bulletin MS04-028
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx Frequently asked questions (FAQ) related to this security updateWhat is GDI+?
GDI+ is a graphics device interface that provides two-dimensional vector graphics, imaging, and typography to applications and programmers.
Why are there several affected programs and components?
Windows XP, Windows XP Service Pack 1, and Windows Server 2003 provide an operating system version of the component that is vulnerable to this issue. Earlier versions of Windows did not provide an operating system version of this component. Therefore, when you install programs that require this functionality on earlier versions of Windows, this component is commonly installed. Typically, when these programs are installed on Windows XP, Windows XP Service Pack 1, or Windows Server 2003 they only use the version that is provided by the operating system, even if they install a copy of the vulnerable component.
The exceptions to this are Office XP, Visio 2002, Project 2002, Office 2003, Visio 2003, and Project 2003. To make sure that JPEG images are processed consistently across all operating systems, these programs use their own version of the vulnerable component. This version of the vulnerable component is installed on all operating systems that are supported by these programs. If you have installed these programs, you must install the update for these programs. You must also install an operating system update if you use Windows XP, Windows XP Service Pack 1, or Windows Server 2003. Also, please review the following FAQ questions relating to exceptions for application developers and third-party applications.
...continues...
Welshjim
October 2nd, 2004, 02:20 PM
Thanks, Vernon--
I understand from the quote you provided to say that when the third-party applications requiring gdiplus.dll were installed they actually took the gdiplus.dll from the Windows file (like C:\I386). That would suggest that if those applications had been installed after the Windows files were updated with the new gdiplus.dll from MS, that the applications would have automatically put that "non-vulnerable"version into their program files. And that would suggest that we can substitute the old gdiplus.dll's with the new throughout the PC. (Except where not necessary, like the $NtServicePackUninstall$ and Win SxS folders.)
Would you agree?
The following just muddies the water, but read only if you want. P.S. The FAQ's in the Security Bulletin MS04-028 go on to say
"If the Gdiplus.dll file is installed on your system, you may have to install an update for that program. Not every program that installs this file is vulnerable to this issue because it may not use the Gdiplus.dll file to process JPEG images. Even when the third-party application uses the Gdiplus.dll file to process JPEG images it may not do so in a vulnerable way. For example if an application does not allow users to supply images for processing or performs additional validation on the images before processing, it may not be vulnerable. However, only the manufacturer of that program can make that determination. This could include, but is not limited to, third party applications that were developed using Visual Studio .NET 2002, Visual Studio .NET 2003, or the Microsoft .NET Framework 1.0 SDK Service Pack 2.
Additionally, Windows XP and Windows Server 2003 provide additional methods to help secure applications. These operating systems provide an operating system version of the affected component and can be centrally protected. This means that even if an application installs a version of the Gdiplus.dll file, that the application in most cases will use the operating system supplied version. The operating system version of Gdiplus.dll is updated when you install the appropriate operating system update and will protect most applications from this vulnerability."
So, based on that enlightenment, we are back to
1) not knowing if the "vulnerable" gdiplus.dll file in an application's folder can be activated, and
2) ideally being told by the application provider what the correct thing to do is. Good luck to that.
Vernon Frazee
October 2nd, 2004, 03:15 PM
If third-party programmers have hard-coded their program to use the gdiplus.dll that they shipped with their program, and that gdiplus.dll happens to be one of the vunerable versions, then the first time you use that program to view a jpeg designed to exploit the vunerability, your PC is now at the mercy of whatever that jpeg was designed to do.
In this particular case you might be able to replace that third-party's vunerable gdiplus.dll file in its "c:\program files\whatever folder and it may fix the problem. However, if the third-party programmers also actually modified their copy of the gdiplus.dll, then replacing it would probably break their program.
This is why Microsoft states that you need to contact the third-party software manufacturers.
I'm also quite sure that not all third-party software manufacturers that this problem affects have had time to develop a patch. And some may not even attempt to, especially for their older versions.
Only time will tell how deep this vulnerability has and will continue to haunt us.
virtualdr.com
Copyright WebMediaBrands Inc., All Rights Reserved.