Printable View
One of the non-Microsoft program sites has replied that I should use the updated gdiplus.dll file from MS.
However, does anyone have a comment why a "vulnerable" gdiplus.dll file in the Program Files folder for a piece of hardware should mean that the PC is vulnerable to this security exploit? Especially when the gdiplus.dll files in the MS files, such as C:\I386, have been updated?
Microsoft Security Bulletin MS04-028
http://www.microsoft.com/technet/sec.../MS04-028.mspxQuote:
Frequently asked questions (FAQ) related to this security update
- What is GDI+?
GDI+ is a graphics device interface that provides two-dimensional vector graphics, imaging, and typography to applications and programmers.
Why are there several affected programs and components?
Windows XP, Windows XP Service Pack 1, and Windows Server 2003 provide an operating system version of the component that is vulnerable to this issue. Earlier versions of Windows did not provide an operating system version of this component. Therefore, when you install programs that require this functionality on earlier versions of Windows, this component is commonly installed. Typically, when these programs are installed on Windows XP, Windows XP Service Pack 1, or Windows Server 2003 they only use the version that is provided by the operating system, even if they install a copy of the vulnerable component.
The exceptions to this are Office XP, Visio 2002, Project 2002, Office 2003, Visio 2003, and Project 2003. To make sure that JPEG images are processed consistently across all operating systems, these programs use their own version of the vulnerable component. This version of the vulnerable component is installed on all operating systems that are supported by these programs. If you have installed these programs, you must install the update for these programs. You must also install an operating system update if you use Windows XP, Windows XP Service Pack 1, or Windows Server 2003. Also, please review the following FAQ questions relating to exceptions for application developers and third-party applications.
...continues...
Thanks, Vernon--
I understand from the quote you provided to say that when the third-party applications requiring gdiplus.dll were installed they actually took the gdiplus.dll from the Windows file (like C:\I386). That would suggest that if those applications had been installed after the Windows files were updated with the new gdiplus.dll from MS, that the applications would have automatically put that "non-vulnerable"version into their program files. And that would suggest that we can substitute the old gdiplus.dll's with the new throughout the PC. (Except where not necessary, like the $NtServicePackUninstall$ and Win SxS folders.)
Would you agree?
The following just muddies the water, but read only if you want. P.S. The FAQ's in the Security Bulletin MS04-028 go on to say
"If the Gdiplus.dll file is installed on your system, you may have to install an update for that program. Not every program that installs this file is vulnerable to this issue because it may not use the Gdiplus.dll file to process JPEG images. Even when the third-party application uses the Gdiplus.dll file to process JPEG images it may not do so in a vulnerable way. For example if an application does not allow users to supply images for processing or performs additional validation on the images before processing, it may not be vulnerable. However, only the manufacturer of that program can make that determination. This could include, but is not limited to, third party applications that were developed using Visual Studio .NET 2002, Visual Studio .NET 2003, or the Microsoft .NET Framework 1.0 SDK Service Pack 2.
Additionally, Windows XP and Windows Server 2003 provide additional methods to help secure applications. These operating systems provide an operating system version of the affected component and can be centrally protected. This means that even if an application installs a version of the Gdiplus.dll file, that the application in most cases will use the operating system supplied version. The operating system version of Gdiplus.dll is updated when you install the appropriate operating system update and will protect most applications from this vulnerability."
So, based on that enlightenment, we are back to
1) not knowing if the "vulnerable" gdiplus.dll file in an application's folder can be activated, and
2) ideally being told by the application provider what the correct thing to do is. Good luck to that.
If third-party programmers have hard-coded their program to use the gdiplus.dll that they shipped with their program, and that gdiplus.dll happens to be one of the vunerable versions, then the first time you use that program to view a jpeg designed to exploit the vunerability, your PC is now at the mercy of whatever that jpeg was designed to do.
In this particular case you might be able to replace that third-party's vunerable gdiplus.dll file in its "c:\program files\whatever folder and it may fix the problem. However, if the third-party programmers also actually modified their copy of the gdiplus.dll, then replacing it would probably break their program.
This is why Microsoft states that you need to contact the third-party software manufacturers.
I'm also quite sure that not all third-party software manufacturers that this problem affects have had time to develop a patch. And some may not even attempt to, especially for their older versions.
Only time will tell how deep this vulnerability has and will continue to haunt us.