Hi everyone,

Has anyone seen a bulletin or discussion thread concerning the JPEG overflow vulnerablity and Microsoft Works?

I have downloaded all Windows Updates for SP2 but the GDI scan still shows vulnerable dlls in the Microsoft Works directory. Microsoft tells me not to worry. But I would like verification. Any info would be appreciated.

Rich

Here is the link to the actual Microsoft bulletin Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) (http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx) HTH

Listed programs from a BBC link

VULNERABLE PROGRAMS
Windows XP
Windows XP Service Pack 1
Windows Server 2003
Internet Explorer 6 SP1
Office XP SP3
Office 2003
Digital Image Pro 7.0
Digital Image Pro 9
Digital Image Suite 9
Greetings 2002
Picture It! 2002
Picture It! 7.0
Picture It! 9
Producer for PowerPoint
Project 2002 SP1
Project 2003
Visio 2002 SP2
Visio 2003
Visual Studio .NET 2002
Visual Studio .NET 2003

Hi Rich: http://www.diamondcs.com.au/jpegscan/ Test And clean your JPEGS for free: :)

HTH Pilli ;D

Hi Robyn,

Thanks for the link. I already had a chance to read it and unfortunately nothing is said concerning Microsoft Works Suite 2003. I'm not sure it is because there are no vulnerablities or Microsoft doesn't have a patch yet. The reason I am concerned is because the gdiscan shows vulnerabilities do exist on my system, even after all of the Windows Updates to SP2:

Rich

Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.2625.0 <-- Possibly vulnerable (Under OfficeXP only)
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2900.2180
C:\Program Files\ewido\security suite\gdiplus.dll
Version: 5.1.3102.2180
C:\Program Files\Microsoft Works\gdiplus.dll
Version: 5.1.3079.3 <-- Vulnerable version
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\$NtServicePackUninstall$\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\ServicePackFiles\i386\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
Version: 5.1.3102.2180
Scan Complete.

Hi Pilli,

Yes, I already downloaded my system and ran the scan. If I am clean and have SP2 with the lastest updates, do I need to be concerned with the gdiscan (that I have posted) that indicates vulnerabilities. Thanks for the help.

Rich

Rich, As far as I know Wayne has said that jpegscan covers all in the wild variants ATM. :)

Hi Pilli,

Thanks for the additional info. It bothers me that gdiscan is picking up vulnerable gdiplus.ddls but I guess I will have to live with it until some positive confirmation comes from Microsoft or elsewhere. Thanks again for your help.

Rich

Hi:

I believe if you read through this complete MS bulletin, you will find the MS Works versions affected. I have SP2 and did have to apply (download) the patch. It required my insertion of a copy of my "Works Suite" CD at one point in the installation process after the download.

http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

Hope this helps!

Hi Lasso,

Thanks for the link. I read the bulletin and from what I read it says that all versions of Works are _not_ affected. If this is wrong, can you point me to the specific spot in the bulletin that says Works is affected. Thanks a lot for your help.

Rich

Hi richrf

I have just found a tutorial on the GDI tool on another forum which may be of interest to you and the results you have posted GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability (http://www.bleepingcomputer.com/forums/topicx3077-0.html) I know it will not answer your question about the Works 2003 scenario but I have found it interesting to read and to 'try' and learn from it. Hope this helps a little.

The confusion comes becaue of M$ naming procedures

It has 2 versions of works

M$ Works which is a stand alone application containing cut down versions of a word processor, database, spread sheet image handling etc. All these are integrtated into one application called M$ Works

IT also has Works SUITE which has some of the bundled applications all integrated that is the database & spread sheet and acts as a central start point for the other applications which are all stand alone and can be run separately. Word, Picture IT , Encarta in some versions. M$ money and a few others

the inbuilt word processor in Works is NOT affected

BUT works SUITE is because that uses WORD as the word processor and WORD is affected and Works SUITE contains Picture IT which can be affected as both Word and PI use the dodgy DLL

so if you have WORKS SUITE then you possibly are affected , but WORKS alone you are not

Hi Robyn and dvk01,

Thanks for the link. My posting above does indeed contain the listing from the gdiscan.exe program that your post is referring to. I ran the scan and there appears to be vulnerabilities but MS says not to worry. There does not appear to be any Works Suite specific updates for this problem on MS's but there are updates for Word 2002 (which is part of Works Suite 2003), but I cannot apply them. So I am just looking for positive confirmation one way or another. I will try MS again, but their staff does not appear to be really interested in looking into the issue. They just say apply the updates that are available.

Thanks for your help,
Rich

I use works suite and I applied the word update

IF you use works suite you haven't got works you have parts of office 2002(XP) and should go to office update and take all service packs and security updates

The M$ support in this issue know just enough to be dangerous

I will repeat if you use WORKS SUITE then go to OFFICE update and press on search for updates, it will downlaod an active x control then allow you to do an update

make sure you have the works suite discs ready as you WILL Need them

I am almost certain you need office SP2 before the gdi update will take but the update site will offer you a lot, TAKE THEM ALL

there are quite a few updates that do affect then security of Word and not all have been widely published

Hi dvk01,

Thanks a lot for taking the time to help.

I tried running the Active X Update module for Office Updates but it seems to keep failing, even when I follow all of the troubleshooting hints. I also disabled all of my security defenses (e.g. Prevx) just in case this was interfering. But I couldn't get a screen to come up after the Active X install screen came up.

If you are able to, can you provide me with the specific links of the updates for Office 2002 (XP) that you are referring to. Other XP updates seem to be working O.K. Am I suppose to see an Active X screen after I allow the Active X module to load? Thanks again.

Rich

put office update in your safe zones temporarily

Office update relies on browser referral headers & all cookies being enabled

Unfortunately I can't send you a link to any office updates as I'm in UK and am automatically diverted to the UK site and if you try you will be blocked and diverted to the office home page
if you use Norton internet security or Zone alarm pro or some other firewalls they block the browser referral headers and some active X controls as well so you need to allow all M$ sites in them

You do need OFFICE SP3 before the gdi update will take though and to get SP3

GDI UPDATE (http://www.microsoft.com/downloads/details.aspx?FamilyId=7D128614-6D34-49DF-8D63-6C17E9A2D312&displaylang=en) you can try this link to the GDI update it might work for you


It has links from that page to SP3 which it says you need first

Hi dvk01,

Tried the links but the installation files require Office to be loaded on my machine.

I took a look at my History file and there is an Office XP update that was completed On Oct. 24:

Critical Update for Office XP on Windows XP Service Pack 2 (KB885884)

and there is a GDI tool that was also installed:

Microsoft GDI+ Detection Tool (KB873374)

I am not sure this is enough since the gdiscan.exe says otherwise. Do you have any ideas?

Thanks for all of the help so far. This is a major pain. ::)

Regards,
Rich

Do you actually have WORD installed on the computer ?

Yes, Word 2002.

Rich

Then I can't understand why the updates won't install and say you need office

Hi Derek,

Yep. I can't understand either. I've tried everything to get the darn update to work - if there is any. I rebooted with nothing in the startup besides KAV and ZoneAlarm to try to clear out any incompatibilities. I shut down all cookie blocking in Explorer and put Windows Update in the Trusted Zone. I just don't get any screen after I give the ActiveX component permission to download. Nothing else I can do now but wait and see.

Thanks a lot for helping me out.

Rich

Rich:

To see if your Word product has been updated, open Word and click on "about". If you see Microsoft Word 2002 (version number) SP3, then the update is complete. The SP3 at the end is the key. If I remember correctly, I had to originally allow an update or patch to Office to update to SP3, although I did not have Office installed, just the M$ Works Suite. (Mine is Works Suite 2004, but the Word component is MS Word 2002, just as yours).

Have you looked at information here:
http://support.microsoft.com/?scid=ph;en-us;3253

The update to Office SP3 will include your version of Word 2002. I believe that installation will require you to insert disk 1 of the M$ Works Suite in order to complete installation and upgrade.
(May have to lower IE security to "medium" and privacy to "medium low" to accept cookies and Active-X for install.)

Regards!

HI Lasso23,

Thanks for the heads up. I checked and my version of Word has not been updated. I was on the phone with MS (on my dime) for about 2 hours yesterday and they were totally useless. This is the one and only product I use from MS - and I am glad. I must have talked to reps from 6 different countries - each one working through their scripts and passing me on to the next country. Finally, the battery on my cell phone went dead and of course the person on the other end made no attempt to call me back. Really, I totally useless company - which I will try not to think about too much tonight. Maybe next week, after my qi energy has regenerated, I will make another go of talking to them. ::)

Thanks for confirming my suspicions. I should be paying you guys money - not MS. :P

Rich

Richrf,

Are you sure that you have not already got the updates applied? The GDI scan results you posted earlier look to be from file backups taken pre-patch (which, of course, would have the vulnerability) which are there in case you want to remove the update. This is certainly the case with the $NtServicePackUninstall$ folders and the x86_Microsoft.Windows.GdiPlus_... folders look like version specific backups also (edit: see the SXS Folder (http://www.wilderssecurity.com/showthread.php?t=24593) thread for more on these - you could try copying your patched GdiPlus.dll file into them to ensure these older versions are never loaded, but I would suggest renaming the files currently there first just in case an application refuses to work without the unpatched files).

With regard to Windows Update, I'd suggest using the Microsoft Security Bulletin Search (http://www.microsoft.com/technet/security/CurrentDL.aspx) page instead to obtain security updates - no need to run Internet Explorer, allow ActiveX or expose your system innards to Uncle Bill's snooping. Microsoft Security Bulletin MS04-028 (http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx) includes links to GDI patches for specific programs (but not Word 2002 - it only lists the OfficeXP update previously posted by Dvk01).

Hi Paranoid2000,

I will look more into your recommendations. I am really not sure what state I am in right now. As you can see it is difficult for me to verify. But I will continue to try to do so, and your suggestions certainly may help. Thanks for the response.

Rich