gdiplus.dll security question

Am I correct in assuming that jpg's which have the potentially
threatening code will only be a threat if opened/viewed by a program
that has a gdiplus.dll?

I find only 4 instances of gdiplus.dll on my system, all of which are
version 5.3xxx.xx. In a previous posted question I was assured that
these were safe.

Can I now assume that other jpg handling applications are safe? That
the only danger is from older gdiplus.dlls?

Thanks

Roger
Fri Sep 17 14:05:53 CDT 2004

I assume when you said 5.3.x you did mean version 5.1.3102.1355 ?
A 5.1.x.y version at or above this does not have the exploitable code
Having a copy of the 5.1.x.y dll below this version does not automatically
mean that you have a problem. If the dll is in the WinSxS directory then
it cannot be used if the OS patch for ms04-028 has been applied.
Even if there are other instances below the threshold present, then
something needs to cause that instance to be used with a specially
crafted jpeg.
However, you may have jpeg handling applications that use their
own code and do not use gdiplus.dll. Once your system is cleaned of
versions not in WinSxS that are below the version threshold(s), then
you are assured that jpegs cannot cause this gdiplus.dll overflow
based exploit.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Jentle Jiant" <jentle@jiant.com> wrote in message
news:97bmk09b1bq3lndlpugm4rjad4vm3dms1f@4ax.com...
> Am I correct in assuming that jpg's which have the potentially
> threatening code will only be a threat if opened/viewed by a program
> that has a gdiplus.dll?
>
> I find only 4 instances of gdiplus.dll on my system, all of which are
> version 5.3xxx.xx. In a previous posted question I was assured that
> these were safe.
>
> Can I now assume that other jpg handling applications are safe? That
> the only danger is from older gdiplus.dlls?
>
> Thanks

Jentle
Fri Sep 17 15:32:40 CDT 2004

Thank you so much for your clear and informative response. Very very
helpful and reassuring.

I was, prior to your information, extremely frustrated trying to
clarify the situation. I must also state that my prior questions were
badly phrased. It took a couple of days for me to even begin to
understand what this alert really meant.

I wish MS had the sense to publish such an explanation as yours, in
language that any reasonably literate non-technically trained or
experienced person could understand. Very well done on your part.

Please see below.

On Fri, 17 Sep 2004 12:05:53 -0700, "Roger Abell [MVP]"
<mvpNoSpam@asu.edu> wrote:

>I assume when you said 5.3.x you did mean version 5.1.3102.1355 ?
>A 5.1.x.y version at or above this does not have the exploitable code
>Having a copy of the 5.1.x.y dll below this version does not automatically
>mean that you have a problem.

I have four instances of gdiplus.dll:
one is in Picture It, v. 5..1.3102.1355

The others are all in WinSxS as follows:
V. 5.1.3097.0
v. 5.1.3101.0
V. 5.1.3102.2180

Based on your response I now feel comfortable in saying that my
computer is safe.

Just one last question, if you are able to address it.

Is it possible, or even likely, that this JPEG coding will be regarded
as a virus and included in the updates from the various Virus control
apps?

Thanks again, I truly appreciate it.

Jentle Jiant

> If the dll is in the WinSxS directory then
>it cannot be used if the OS patch for ms04-028 has been applied.
>Even if there are other instances below the threshold present, then
>something needs to cause that instance to be used with a specially
>crafted jpeg.
>However, you may have jpeg handling applications that use their
>own code and do not use gdiplus.dll. Once your system is cleaned of
>versions not in WinSxS that are below the version threshold(s), then
>you are assured that jpegs cannot cause this gdiplus.dll overflow
>based exploit.

Torgeir
Fri Sep 17 15:59:20 CDT 2004

Jentle Jiant wrote:

> Is it possible, or even likely, that this JPEG coding will be
> regarded as a virus and included in the updates from the various
> Virus control apps?
Hi

That has happened already:

MS04-028 -- McAfee releases JPEG exploit detection
http://vil.nai.com/vil/content/v_128461.htm

as well as Symantec:
http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.13.html


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Jentle
Fri Sep 17 17:04:13 CDT 2004

Good for them!

And I am always current with my defs, so now I can look at a jpeg in
safety!

:)

Thanks for letting me know

Jentle Jiant

On Fri, 17 Sep 2004 22:59:20 +0200, "Torgeir Bakken \(MVP\)"
<Torgeir.Bakken-spam@hydro.com> wrote:

>Jentle Jiant wrote:
>
>> Is it possible, or even likely, that this JPEG coding will be
>> regarded as a virus and included in the updates from the various
>> Virus control apps?
>Hi
>
>That has happened already:
>
>MS04-028 -- McAfee releases JPEG exploit detection
>http://vil.nai.com/vil/content/v_128461.htm
>
>as well as Symantec:
>http://securityresponse.symantec.com/avcenter/venc/data/bloodhound.exploit.13.html

Roger
Sat Sep 18 12:16:04 CDT 2004

Thank you for the kind words Jentle Jiant.
As an IT professional it took me most of an afternoon to get
a handle on just what all the impacts of 028 were, so I would
not feel left out were I you, not at all.

I believe Torgeir has addressed you question about AV vendors
addressing this also. And, as to your added info, only two of the
four versions are now outdated
> V. 5.1.3097.0
> v. 5.1.3101.0
and the WinSxS policies should prevent them from being used.

For the other that may have / will yet read this thread, note
that the contained information covers only one of the involved
dlls, and that in only the 5.1.x.y version.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Jentle Jiant" <jentle@jiant.com> wrote in message
news:1chmk0t79cljkd0sa9v7h6coriak1k0e0f@4ax.com...
> Thank you so much for your clear and informative response. Very very
> helpful and reassuring.
>
> I was, prior to your information, extremely frustrated trying to
> clarify the situation. I must also state that my prior questions were
> badly phrased. It took a couple of days for me to even begin to
> understand what this alert really meant.
>
> I wish MS had the sense to publish such an explanation as yours, in
> language that any reasonably literate non-technically trained or
> experienced person could understand. Very well done on your part.
>
> Please see below.
>
> On Fri, 17 Sep 2004 12:05:53 -0700, "Roger Abell [MVP]"
> <mvpNoSpam@asu.edu> wrote:
>
>>I assume when you said 5.3.x you did mean version 5.1.3102.1355 ?
>>A 5.1.x.y version at or above this does not have the exploitable code
>>Having a copy of the 5.1.x.y dll below this version does not automatically
>>mean that you have a problem.
>
> I have four instances of gdiplus.dll:
> one is in Picture It, v. 5..1.3102.1355
>
> The others are all in WinSxS as follows:
> V. 5.1.3097.0
> v. 5.1.3101.0
> V. 5.1.3102.2180
>
> Based on your response I now feel comfortable in saying that my
> computer is safe.
>
> Just one last question, if you are able to address it.
>
> Is it possible, or even likely, that this JPEG coding will be regarded
> as a virus and included in the updates from the various Virus control
> apps?
>
> Thanks again, I truly appreciate it.
>
> Jentle Jiant
>
>> If the dll is in the WinSxS directory then
>>it cannot be used if the OS patch for ms04-028 has been applied.
>>Even if there are other instances below the threshold present, then
>>something needs to cause that instance to be used with a specially
>>crafted jpeg.
>>However, you may have jpeg handling applications that use their
>>own code and do not use gdiplus.dll. Once your system is cleaned of
>>versions not in WinSxS that are below the version threshold(s), then
>>you are assured that jpegs cannot cause this gdiplus.dll overflow
>>based exploit.
>

Jentle
Sat Sep 18 18:46:33 CDT 2004

On Sat, 18 Sep 2004 10:16:04 -0700, "Roger Abell [MVP]"
<mvpNoSpam@asu.edu> wrote:

>Thank you for the kind words Jentle Jiant.

My pleasure, Roger. You are welcome. It feels much better to praise
than to complain. And I think you guys get mostly the former, with
little positive recognition.

A bit of possible clarification below please.

>As an IT professional it took me most of an afternoon to get
>a handle on just what all the impacts of 028 were, so I would
>not feel left out were I you, not at all.
>
>I believe Torgeir has addressed you question about AV vendors
>addressing this also. And, as to your added info, only two of the
>four versions are now outdated
>> V. 5.1.3097.0
>> v. 5.1.3101.0
>and the WinSxS policies should prevent them from being used.
>
Could/should I simply paste copies of 5..1.3102.1355 into those
folders? Any reason not to?

>For the other that may have / will yet read this thread, note
>that the contained information covers only one of the involved
>dlls, and that in only the 5.1.x.y version.

What other dlls?
This is news to me. I thought I was done with this issue.

Ah, me oh my.... and the beat goes on...

Thanks again,

Jentle Jiant
>
>--
>Roger Abell
>Microsoft MVP (Windows Server System: Security)
>MCDBA, MCSE W2k3+W2k+Nt4
>"Jentle Jiant" <jentle@jiant.com> wrote in message
>news:1chmk0t79cljkd0sa9v7h6coriak1k0e0f@4ax.com...
>> Thank you so much for your clear and informative response. Very very
>> helpful and reassuring.
>>
>> I was, prior to your information, extremely frustrated trying to
>> clarify the situation. I must also state that my prior questions were
>> badly phrased. It took a couple of days for me to even begin to
>> understand what this alert really meant.
>>
>> I wish MS had the sense to publish such an explanation as yours, in
>> language that any reasonably literate non-technically trained or
>> experienced person could understand. Very well done on your part.
>>
>> Please see below.
>>
>> On Fri, 17 Sep 2004 12:05:53 -0700, "Roger Abell [MVP]"
>> <mvpNoSpam@asu.edu> wrote:
>>
>>>I assume when you said 5.3.x you did mean version 5.1.3102.1355 ?
>>>A 5.1.x.y version at or above this does not have the exploitable code
>>>Having a copy of the 5.1.x.y dll below this version does not automatically
>>>mean that you have a problem.
>>
>> I have four instances of gdiplus.dll:
>> one is in Picture It, v. 5..1.3102.1355
>>
>> The others are all in WinSxS as follows:
>> V. 5.1.3097.0
>> v. 5.1.3101.0
>> V. 5.1.3102.2180
>>
>> Based on your response I now feel comfortable in saying that my
>> computer is safe.
>>
>> Just one last question, if you are able to address it.
>>
>> Is it possible, or even likely, that this JPEG coding will be regarded
>> as a virus and included in the updates from the various Virus control
>> apps?
>>
>> Thanks again, I truly appreciate it.
>>
>> Jentle Jiant
>>
>>> If the dll is in the WinSxS directory then
>>>it cannot be used if the OS patch for ms04-028 has been applied.
>>>Even if there are other instances below the threshold present, then
>>>something needs to cause that instance to be used with a specially
>>>crafted jpeg.
>>>However, you may have jpeg handling applications that use their
>>>own code and do not use gdiplus.dll. Once your system is cleaned of
>>>versions not in WinSxS that are below the version threshold(s), then
>>>you are assured that jpegs cannot cause this gdiplus.dll overflow
>>>based exploit.
>>
>

Roger
Sat Sep 18 21:18:16 CDT 2004

You would not be able to overwrite the WinSxS copies as they
are protected by the system.
The other versions of gdiplus.dll are found on other versions
of Windows or with Office 2003 installed, and this includes the
mso.dll of Office.

--
Roger
"Jentle Jiant" <jentle@jiant.com> wrote in message
news:3ihpk0tepcqfe3f7e9iq37mkbspfgmbi19@4ax.com...
> On Sat, 18 Sep 2004 10:16:04 -0700, "Roger Abell [MVP]"
> <mvpNoSpam@asu.edu> wrote:
>
>>Thank you for the kind words Jentle Jiant.
>
> My pleasure, Roger. You are welcome. It feels much better to praise
> than to complain. And I think you guys get mostly the former, with
> little positive recognition.
>
> A bit of possible clarification below please.
>
>>As an IT professional it took me most of an afternoon to get
>>a handle on just what all the impacts of 028 were, so I would
>>not feel left out were I you, not at all.
>>
>>I believe Torgeir has addressed you question about AV vendors
>>addressing this also. And, as to your added info, only two of the
>>four versions are now outdated
>>> V. 5.1.3097.0
>>> v. 5.1.3101.0
>>and the WinSxS policies should prevent them from being used.
>>
> Could/should I simply paste copies of 5..1.3102.1355 into those
> folders? Any reason not to?
>
>>For the other that may have / will yet read this thread, note
>>that the contained information covers only one of the involved
>>dlls, and that in only the 5.1.x.y version.
>
> What other dlls?
> This is news to me. I thought I was done with this issue.
>
> Ah, me oh my.... and the beat goes on...
>
> Thanks again,
>
> Jentle Jiant
>>
>>--
>>Roger Abell
>>Microsoft MVP (Windows Server System: Security)
>>MCDBA, MCSE W2k3+W2k+Nt4
>>"Jentle Jiant" <jentle@jiant.com> wrote in message
>>news:1chmk0t79cljkd0sa9v7h6coriak1k0e0f@4ax.com...
>>> Thank you so much for your clear and informative response. Very very
>>> helpful and reassuring.
>>>
>>> I was, prior to your information, extremely frustrated trying to
>>> clarify the situation. I must also state that my prior questions were
>>> badly phrased. It took a couple of days for me to even begin to
>>> understand what this alert really meant.
>>>
>>> I wish MS had the sense to publish such an explanation as yours, in
>>> language that any reasonably literate non-technically trained or
>>> experienced person could understand. Very well done on your part.
>>>
>>> Please see below.
>>>
>>> On Fri, 17 Sep 2004 12:05:53 -0700, "Roger Abell [MVP]"
>>> <mvpNoSpam@asu.edu> wrote:
>>>
>>>>I assume when you said 5.3.x you did mean version 5.1.3102.1355 ?
>>>>A 5.1.x.y version at or above this does not have the exploitable code
>>>>Having a copy of the 5.1.x.y dll below this version does not
>>>>automatically
>>>>mean that you have a problem.
>>>
>>> I have four instances of gdiplus.dll:
>>> one is in Picture It, v. 5..1.3102.1355
>>>
>>> The others are all in WinSxS as follows:
>>> V. 5.1.3097.0
>>> v. 5.1.3101.0
>>> V. 5.1.3102.2180
>>>
>>> Based on your response I now feel comfortable in saying that my
>>> computer is safe.
>>>
>>> Just one last question, if you are able to address it.
>>>
>>> Is it possible, or even likely, that this JPEG coding will be regarded
>>> as a virus and included in the updates from the various Virus control
>>> apps?
>>>
>>> Thanks again, I truly appreciate it.
>>>
>>> Jentle Jiant
>>>
>>>> If the dll is in the WinSxS directory then
>>>>it cannot be used if the OS patch for ms04-028 has been applied.
>>>>Even if there are other instances below the threshold present, then
>>>>something needs to cause that instance to be used with a specially
>>>>crafted jpeg.
>>>>However, you may have jpeg handling applications that use their
>>>>own code and do not use gdiplus.dll. Once your system is cleaned of
>>>>versions not in WinSxS that are below the version threshold(s), then
>>>>you are assured that jpegs cannot cause this gdiplus.dll overflow
>>>>based exploit.
>>>
>>
>

Jentle
Sun Sep 19 03:12:40 CDT 2004

Once again, thanks

On Sat, 18 Sep 2004 19:18:16 -0700, "Roger Abell [MVP]"
<mvpNoSpam@asu.edu> wrote:

>You would not be able to overwrite the WinSxS copies as they
>are protected by the system.

Well, since you said 'WinSxS policies should prevent them from being
used' I shall not allow myself to be paranoid about them.

>The other versions of gdiplus.dll are found on other versions
>of Windows or with Office 2003 installed, and this includes the
>mso.dll of Office.

I have v 10.0.6626.0 in the ProgramFiles\CommonFiles\Shared\Office10
(I have Word 2002 and Works)
I did an Office Update immediately following the Security Update, It
included a long delayed Service Pack 2. So I assume I am up to date
here as well. (Unless I hear otherwise from you!)

Thanks again

And Best Wishes
(I bet you can't wait until this issue dies a natural death!)

Jentle Jiant

rbscheer
Sun Sep 19 15:09:38 CDT 2004

Hi Roger.

What exactly are these WinSxS copies of gdiplus.dll? These are the
only ones (3 copies) found on my system when I made a Search - For
Files or Folders, but the Gdi+ tool warns me that I have vulnerable
versions of the dll. I have .NET Framework 1.1 SP1 and Office XP
installed on my system. The Office Update site does not ask me to
update anything. Do the .NET Framework SP1 updates this dll?

Thanks,
Robert Scheer


"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message news:<eRYPw7enEHA.3988@tk2msftngp13.phx.gbl>...
> You would not be able to overwrite the WinSxS copies as they
> are protected by the system.
> The other versions of gdiplus.dll are found on other versions
> of Windows or with Office 2003 installed, and this includes the
> mso.dll of Office.
>
> --
> Roger
> "Jentle Jiant" <jentle@jiant.com> wrote in message
> news:3ihpk0tepcqfe3f7e9iq37mkbspfgmbi19@4ax.com...
> > On Sat, 18 Sep 2004 10:16:04 -0700, "Roger Abell [MVP]"
> > <mvpNoSpam@asu.edu> wrote:
> >
> >>Thank you for the kind words Jentle Jiant.
> >
> > My pleasure, Roger. You are welcome. It feels much better to praise
> > than to complain. And I think you guys get mostly the former, with
> > little positive recognition.
> >
> > A bit of possible clarification below please.
> >
> >>As an IT professional it took me most of an afternoon to get
> >>a handle on just what all the impacts of 028 were, so I would
> >>not feel left out were I you, not at all.
> >>
> >>I believe Torgeir has addressed you question about AV vendors
> >>addressing this also. And, as to your added info, only two of the
> >>four versions are now outdated
> >>> V. 5.1.3097.0
> >>> v. 5.1.3101.0
> >>and the WinSxS policies should prevent them from being used.
> >>
> > Could/should I simply paste copies of 5..1.3102.1355 into those
> > folders? Any reason not to?
> >
> >>For the other that may have / will yet read this thread, note
> >>that the contained information covers only one of the involved
> >>dlls, and that in only the 5.1.x.y version.
> >
> > What other dlls?
> > This is news to me. I thought I was done with this issue.
> >
> > Ah, me oh my.... and the beat goes on...
> >
> > Thanks again,
> >
> > Jentle Jiant
> >>
> >>--
> >>Roger Abell
> >>Microsoft MVP (Windows Server System: Security)
> >>MCDBA, MCSE W2k3+W2k+Nt4
> >>"Jentle Jiant" <jentle@jiant.com> wrote in message
> >>news:1chmk0t79cljkd0sa9v7h6coriak1k0e0f@4ax.com...
> >>> Thank you so much for your clear and informative response. Very very
> >>> helpful and reassuring.
> >>>
> >>> I was, prior to your information, extremely frustrated trying to
> >>> clarify the situation. I must also state that my prior questions were
> >>> badly phrased. It took a couple of days for me to even begin to
> >>> understand what this alert really meant.
> >>>
> >>> I wish MS had the sense to publish such an explanation as yours, in
> >>> language that any reasonably literate non-technically trained or
> >>> experienced person could understand. Very well done on your part.
> >>>
> >>> Please see below.
> >>>
> >>> On Fri, 17 Sep 2004 12:05:53 -0700, "Roger Abell [MVP]"
> >>> <mvpNoSpam@asu.edu> wrote:
> >>>
> >>>>I assume when you said 5.3.x you did mean version 5.1.3102.1355 ?
> >>>>A 5.1.x.y version at or above this does not have the exploitable code
> >>>>Having a copy of the 5.1.x.y dll below this version does not
> >>>>automatically
> >>>>mean that you have a problem.
> >>>
> >>> I have four instances of gdiplus.dll:
> >>> one is in Picture It, v. 5..1.3102.1355
> >>>
> >>> The others are all in WinSxS as follows:
> >>> V. 5.1.3097.0
> >>> v. 5.1.3101.0
> >>> V. 5.1.3102.2180
> >>>
> >>> Based on your response I now feel comfortable in saying that my
> >>> computer is safe.
> >>>
> >>> Just one last question, if you are able to address it.
> >>>
> >>> Is it possible, or even likely, that this JPEG coding will be regarded
> >>> as a virus and included in the updates from the various Virus control
> >>> apps?
> >>>
> >>> Thanks again, I truly appreciate it.
> >>>
> >>> Jentle Jiant
> >>>
> >>>> If the dll is in the WinSxS directory then
> >>>>it cannot be used if the OS patch for ms04-028 has been applied.
> >>>>Even if there are other instances below the threshold present, then
> >>>>something needs to cause that instance to be used with a specially
> >>>>crafted jpeg.
> >>>>However, you may have jpeg handling applications that use their
> >>>>own code and do not use gdiplus.dll. Once your system is cleaned of
> >>>>versions not in WinSxS that are below the version threshold(s), then
> >>>>you are assured that jpegs cannot cause this gdiplus.dll overflow
> >>>>based exploit.
> >>>
> >>
> >

Torgeir
Mon Sep 20 10:43:39 CDT 2004

Robert Scheer wrote:

> Hi Roger.
>
> What exactly are these WinSxS copies of gdiplus.dll?

Isolated Applications and Side-by-side Assemblies
http://msdn.microsoft.com/library/en-us/sbscs/setup/isolated_applications_and_side_by_side_assemblies_start_page.asp


> These are the
> only ones (3 copies) found on my system when I made a Search - For
> Files or Folders, but the Gdi+ tool warns me that I have vulnerable
> versions of the dll. I have .NET Framework 1.1 SP1 and Office XP
> installed on my system. The Office Update site does not ask me to
> update anything. Do the .NET Framework SP1 updates this dll?

With SP1 for .NET Framework 1.1 installed, your .NET Framework 1.1
installation is not vulnerable.

For what Office version that are affected and updates for them,
take a look here:

Microsoft Security Bulletin MS04-028
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx

Note that for Office XP it is the file Mso.dll that can be vulnerable.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx