A new Critical Update is available

**SuperSparks** · September 15th, 2004, 08:13 PM

A Critical Update is available to fix what could potentially be a very nasty vulnerability. Despite what some of you may have read, Windows Update offers the patch even if you have SP2 installed.

This is a more complex patch than usual, please see my thread here:

http://discussions.virtualdr.com/sho...525#post863525

**SuperSparks** · September 15th, 2004, 09:14 PM

It's also available for Windows server 2003 BTW.

**LotusAstra** · September 15th, 2004, 09:22 PM

Note that the actual JPEG vulnerability does NOT effect XP SP2...

It is only the GDI+ Detection tool that is available on SP2.

EDIT: forget what i said about bugs for now, I'll keep ya updated if i find anything else.

**Welshjim** · September 16th, 2004, 12:21 PM

SuperSparks--"Critical" Update or "High Priority" Update?

So many changes in XP, for no purpose that I can see.

**SuperSparks** · September 16th, 2004, 12:43 PM

Going by the news sites, everyone is calling it Critical. I think if an exploit for this one gets written it will be at least as bad as Blaster was.

**104456** · September 16th, 2004, 12:50 PM

Critical Security Bulletins
===========================

MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow
Code Execution (833987)

- Affected Software:

- Windows XP and Windows XP Service Pack 1
- Windows XP 64-Bit Edition Service Pack 1
- Windows XP 64-Bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-Bit Edition

- Office 2003
- Office XP Service Pack 3
- Visio 2003 (All versions)
- Visio 2002 Service Pack 2 (All versions)
- Project 2003 (All versions)
- Project 2002 Service Pack 1 (All versions)

- Review bulletin MS04-O28 for information about
these affected operating systems and applications:

- Windows NT Workstation 4.0 Service Pack 6a
- Windows NT Server 4.0 Service Pack 6a
- Windows NT Server 4.0 Terminal Server Edition
Service Pack 6
- Windows 2000 Service Pack 2
- Windows 2000 Service Pack 3
- Windows 2000 Service Pack 4

- The Microsoft .NET Framework, version 1.0
- The Microsoft .NET Framework, version 1.1
- Internet Explorer 6 Service Pack 1

- Picture It! 2002 (All versions)
- Greetings 2002
- Picture It! version 7.0 (All versions)
- Digital Image Pro version 7.0
- Picture It! version 9 (All versions)
Including Picture It! Library)
- Digital Image Pro version 9
- Digital Image Suite version 9
- Producer for Microsoft Office PowerPoint
(All versions)

- Visual Studio 2003 .NET
- Visual Basic .NET Standard 2003
- Visual C# .NET Standard 2003
- Visual C++ .NET Standard 2003
- Visual J# .NET Standard 2003
- Visual Studio 2002 .NET
- Visual Basic .NET Standard 2002
- Visual C# .NET Standard 2002
- Visual C++ .NET Standard 2002
- The Microsoft .NET Framework, version 1.0 SDK
- Platform SDK Redistributable: GDI+

- Review the FAQ section of bulletin MS04-O28 for
information about these operating systems:

- Microsoft Windows 98
- Microsoft Windows 98 Second Edition (SE)
- Microsoft Windows Millennium Edition (ME)

- Impact: Remote Code Execution
- Version Number: 1.0

Important Security Bulletins
============================

MS04-027 - Vulnerability in WordPerfect Converter Could
Allow Code Execution (884933)

- Affected Software:
- Office 2003
- Office XP Service Pack 3
- Office 2000 Service Pack 3
- Works Suite (All versions)

- Impact: Remote Code Execution
- Version Number: 1.0

Microsoft Security Bulletin Summary for September, 2004

**hongman** · September 16th, 2004, 12:59 PM

And there's me telling me poor friends and family that they cant catch a virus from pics...

**DuaneB** · September 28th, 2004, 05:00 PM

Someone is using it already.

"Malicious hackers are seeding Internet news groups that traffic in pornography with JPEG images that take advantage of a recently disclosed security hole in Microsoft's software....."

Hackers Target Microsoft JPEG Hole
http://www.pcworld.com/news/article/...092804X,00.asp

**SuperSparks** · September 28th, 2004, 07:02 PM

Thanks for the heads up Duane. It just goes to illustrate how much more malicious the internet is becoming - it was months between the patch for the Blaster worm being released and an actual exploit appearing. This time round it's just been a matter of days

**frebo** · September 28th, 2004, 07:06 PM

i still dont have that update yet in critical or priority

**DuaneB** · September 28th, 2004, 07:10 PM

You can get it here.

MS04-028: Buffer overrun in JPEG processing (GDI+) could allow code execution (KB 833987)
http://support.microsoft.com/default...b;en-us;833987

**frebo** · September 28th, 2004, 07:23 PM

duane if i have sp2 and dont have any of the others that they show should i download ?

**DuaneB** · September 28th, 2004, 07:48 PM

No. XP SP2 does not contain a vulnerable version of the affected component. However, people who have installed any of the affected Office, Visio, or Project applications should install the updates for those applications.

**Welshjim** · September 28th, 2004, 07:56 PM

frebo--Maybe you understood this all along--I did not for some time-- but the GDI+ "Update" you may have gotten from Windows Update, was only a diagnostic tool to determine if you needed the actual GDI+ Security Update. If after running Step 3, that diagnosis determines you need the actual update, based on analysis of programs other than XP SP2 on your PC, you will be told how to get it.
It took me some time to figure this out. I thought the original Windows Update offer was for the actual Security Update.

**frebo** · September 28th, 2004, 08:15 PM

thanks duane, jim from what i can muster out of all this is it told me i didnt need the update. i have office premium2000 and have kept up with updates and the tool said i was not affected. i will look into it farther,thanks for pointing that out.

Thread: A new Critical Update is available

Thread Tools

Search Thread

Display

A new Critical Update is available

Thread Information

Users Browsing this Thread

Posting Permissions