GdiPlus (GDI+) JPEG Vulnerability - patching

TheMSsForum.com: The Microsoft Software Forum

Two questions about the GDIPlus (GDI+) JPEG Vulnerability:

1. I'm running Windows 2K and Office XP. I ran Windows Update (which
updated the .NET frameworks) and the Office Update (which installed some
updates) and then as prompted by Microsoft's vulnerability tool, I ran
GDIPLUS_6.exe to patch Microsoft Picture It! 20002. Now when I scan the
system for gdiplus.dll, I find that none of them have recent dates. Is
this ok?

2. I noticed that my Visual FoxPro directory contains a gdiplus.dll
file, but Visual FoxPro is not on the Microsoft list either of
vunerable, or not vulnerable products. Is there a needed GDIPlus patch
for Visual FoxPro?

Thanks, Kevin
Top

Re: GdiPlus (GDI+) JPEG Vulnerability - patching by Torgeir

Torgeir
Fri Sep 17 15:00:03 CDT 2004

Kevin Davidson wrote:

> Two questions about the GDIPlus (GDI+) JPEG Vulnerability:
>
> 1. I'm running Windows 2K and Office XP. I ran Windows Update
> (which updated the .NET frameworks) and the Office Update (which
> installed some updates) and then as prompted by Microsoft's
> vulnerability tool, I ran GDIPLUS_6.exe to patch Microsoft Picture
> It! 20002. Now when I scan the system for gdiplus.dll, I find
> that none of them have recent dates. Is this ok?

The files can be as old as 27-Feb-2004 and still be OK. But don't look
at the dates, look at the version numbers.

For the 5.1.x.x versions, you need at least 5.1.3102.1355, and as far
as I know, the only public newer version is 5.1.3102.1360.

So if all 5.1.x.x versions is either 5.1.3102.1355 or 5.1.3102.1360,
you are OK in the gdiplus.dll file part.


> 2. I noticed that my Visual FoxPro directory contains a gdiplus.dll
> file, but Visual FoxPro is not on the Microsoft list either of
> vunerable, or not vulnerable products. Is there a needed GDIPlus
> patch for Visual FoxPro?

As long as you are finished installing *all* relevant updates from
the MS04-028 bulletin (see link below), if you still find 5.1.x.x
gdiplus.dll files on the hard disk with a lesser version number than
5.1.3102.1355 (outside any %windir%\WinSxS\... folder that is),
you should replace them with the gdiplus.dll v5.1.3102.1360 file
that is available here:

Platform SDK Redistributable: GDI+
http://www.microsoft.com/downloads/details.aspx?FamilyId=6A63AB9C-DF12-4D41-933C-BE590FEAA05A&displaylang=en
(this download link is also found in the MS04-028 bulletin)

I suggest you create a backup somewhere of all the old 5.1.x.x
versions before replacing them, just in case the application using
the dll doesn't like the replacement (unlikely though).


Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Top