GDI Scan

I just download the GDI scanner from:

Gdi Scan

and heres my results:

C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\I386\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\I386\SXS.DLL
Version: 5.1.2600.1106 <-- Vulnerable version
C:\I386\VGX.DLL
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.DLL
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\Program Files\Sonic\RecordNow!\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\SYSTEM32\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\SYSTEM32\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus.dll
Version: 5.1.3102.1360

From what I can read I got all the updates needed from Microsoft, but I still got these detected.

What should I do?

-J

 

Hi untouchable J,

I am having a similar problem here.

 

Same here. Glad you've started a new thread. I was about to start one.

I got all the latest Micro$oft patches etc., but when I scanned using GDI Scan ... I still managed to find several Vulnerables and several Possible Vulnerables.

Please advice as to how to tackle this problem ... anyone?

Cheers

 

The previous thread has been closed, so I will post in this thread since it is directly relevant. (The Update Alerts forum is for just that purpose update alerts, not ongoing discussion of related issues. Learn something new everyday here!)

Hopefully the mods will link the closed thread to this one so it can be continued here.

 

Done.



snowbound

 

Acording to the FAQ on the GDIscan page:

If these are merely left over junk that we are not going to uninstall anyway, I say we delete them.
Can anyone confirm that these directories are not needed?
At least we should delete the vulnerable components from those directories, right?
Or maybe overwrite them with the version that is not vulnerable?

 

As Nick very helpfully pointed out in the other thread:

Be sure to expand and read the Frequently asked questions (FAQ) related to this security update section, it is filled with info.

 

There are several troubling areas of the MS bulletin in the FAQ:

I emboldened the troubling areas:

Of course updating those applications would be best, but even the giant MS didn't update all the old versions of its software leftover. A malware could possibly target those specific left over files. And for the small to medium sized software developers, they are not likely to react swiftly enough before this exploit is in full swing. I think a safe enough way to test would be to rename the vulnerable gdiplus.dll to gdiplus.dll.old then copy the new version to the same directory. Test the program to see if it works.
What do you think?

 

I think it's not a good idea to delete them until we are absolutely sure what they do since they are somewhere in the Registry keys ...

I am just waiting for some confirmation from experts.

Some of the vulnerabilities and possibly vulnerables are found here ... all of them version 5.1.2600.0 whatever that is ...

C:\I386\[files or whatever]
C:\WINDOWS\SYSTEM32\[files or whatever]
C:\WINDOWS\LastGood\System32\[files or whatever]

So there you go ... don't know what to do exactly.

 

I agree chew.
I think it would be safer to rename the vulnerable ones rather then delete them.
And safer still to learn from people more knowledgeable!

 

Not even sure if renaming will help.

Infact I don't even know how to rename them and to what name to use ...

 

As far as how to rename a file, simply locate the file in windows explorer, right click it, select rename from the context menu, and type in the new file name.

See the bottom of post 8 for the reason why to rename. At least if it doesn't work, you could delete the new copied over version and rename the .old version back to its original name.

I will wait for more opinions on the issue.

 

Add this to the confusion: I scanned with Microsoft GDI+ Detection Tool and got the result below. Yet Windows Update has no critical updates for me.

Nick

 

Devinco

Yes rename will be a good idea if that's the solution. I guess I just have to keep inform of this ...

By the way ... which post 8 are you referring to? Link please?

Cheers

Chew

P/s: Windows Update told me I got all the patches but the scan still showed I am vulnerable ...

 

chew,

Post 8 of this thread.


Nick,

I think we are in big trouble!

 

you need to go to the microsoft office updates page to get the fix for the GDI detected software. here

 

Hi BigC,

That's just it, we are fully patched. SP2 and all Office Updates and still there are vulnerable files left.

troubling...

 

you need to go to the microsoft office updates page to get the fix for the GDI detected software. here orhere

 

Thanks Devico. Got it.

I think everyone will be in deep trouble if they don't have XP SP2 at all.

As far as I know there are many who are still on XP and XP SP1. Worst still they don't even know their pcs are infected or will be infected by worms/trojans/adware etc.,

For example, my friend thought his pc was running normal when it kept directing his home page to some other sites ... he got Browser Hijack ... hmm ...

So I think if this problem is not solve within the one week or so I think there might be an outbreak of related virus on the net ...

Chew

 

Not running Office here.

Nick

 

I got the same result that Nick got with gdidettool.exe.

Office2003 Pro completely updated at Officeupdate site.
XP Pro SP2 completely updated at windowsupdate site.

The GDIscan tool from ISC still shows vulnerable and possibly vulnerable files.
In fact, MS own GDI tool says it is still vulnerable AFTER all updates.

This sucks.

 

I didnt have office but the office xp update fixed it. but it is good that it's available at win. updates, much easier to get to.

 

D'oh! just checked the Office Update and was told I needed to update to Office XP SP3. So now I need to dig out my Office XP CD installation/registration key somewhere in my box.

I just called my friend to inform him but in his case his is a bit different. He told me he got it somewhere but I think otherwise. I think his office XP CD is a bit dodgy. So in that case how's he suppose to patch? Do you think it will work for him?



P/s: BigC if you are not running Office ... what are you running? OpenOffice?

 

chew,

In order to be as protected as MS says you should be, you need SP2 for windows and you need the office updates.

I am not sure what you mean by dodgy, do you mean cracked?
For Office 2003, there is a GDI flaw patch. There are two versions, one that doesn't need the CD.
There may be one for OfficeXP as well.

 

It is definately a good idea to update to both SP2 and the Office Updates.
This probably closes the biggest infection holes.
However, there are still vulnerable GDI files left after all the updates (from both MS and other vendors).
These files could possibly be used in this exploit or a related exploit.
MS should have at least cleaned up their own left over vulnerable stuff.