GDI Scanner Released (http://isc.sans.org/diary.php?date=2004-09-23)

gdiscan.exe was written for Windows 2000 and higher. It scans the drive containing the Windows %system% directory and Looks for vulnerable versions of gdiplus.dll, sxs.dll, wsxs.dll, mso.dll. (http://isc.sans.org/gdiscan.php)

Thanks nick s for pointing this out.
This is a really important problem.
I did the whole SP2 and Office updates and thought I was protected from the new GDI exploit.

WRONG!!

After running the GDIscan, it found 3 copies of the vulnerable version and 7 copies of possibly vulnerable!

All they would have to do is target the vulnerable files in those other locations to exploit it.
The files included gdiplus.dll, MSO.DLL, vgx.dll, and sxs.dll.
Should I copy the newer versions (not vulnerable) over the older versions?
What about Windows File Protection? Will that prevent the overwriting process? How should I go about doing this?

For example:
C:\Program Files\Norton SystemWorks\Web Cleanup\GDIPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version

Should I copy the file below and overwrite the above file?
C:\WINDOWS\system32\gdiplus.dll
Version: 5.1.3102.2180
Will the capitalization difference cause a problem?

I have other vulnerable items like in office 10 (now using office 11), etc.

Check out Microsoft's FAQ on the vulnerability (Microsoft Security Bulletin MS04-028 (http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx)) and see if you are still affected. You should be able to overwrite any file located outside of your system folder (capitalization does not matter) and some folders like *:\386 are just for file storage. The FAQ does mention potential compatibility issues if manually updating components installed by third-party apps:

"Furthermore, in these cases you would only be vulnerable to this issue while using the affected program to process images. Installing the operating system update and the updates for the affected programs and components listed in this bulletin will help reduce the chance that you will be attacked from the most common attack vectors an attacker could use to exploit this vulnerability.

It is also important to note that you should install any available security updates instead of manually updating the affected component, if possible. Manually updating the affected component could create application compatibility issues and is not supported. Also, applications that feature Detect and Repair functionality will not receive the necessary information required to prevent these features from potentially introducing the vulnerability upon execution if the affected component is manually updated."

Nick

My scan showed these. I will try removing these manually later and let you know how it goes:

Scanning Drive C:...
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\$NtServicePackUninstall$\vgx.dll
Version: 6.0.2800.1265 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\ServicePackFiles\i386\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\system32\dllcache\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\system32\dllcache\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
Version: 5.1.3102.2180
Scan Complete.


Nick

Thanks Nick!

Just scanned my system using the GDI Scanner ... hmmm ... after all those Micro$oft Critical patches etc. I still managed to find few Vulnerable dlls and few possible Vulnerables...

But Micro$oft patch said I got everything updated.

So how to I protect myself?

???

Everyone,

Please read the General Policy info in this thread,

http://www.wilderssecurity.com/showthread.php?t=17362

about posting here in Update Alerts. You can followup in Software & Services if you need to.

Thanks.

EDIT- discussion continued over here,

http://www.wilderssecurity.com/showthread.php?p=264323


snowbound