JPEG overflow vulnerability and Microsoft Works Suite

Hi everyone,

Has anyone seen a bulletin or discussion thread concerning the JPEG overflow vulnerablity and Microsoft Works?

I have downloaded all Windows Updates for SP2 but the GDI scan still shows vulnerable dlls in the Microsoft Works directory. Microsoft tells me not to worry. But I would like verification. Any info would be appreciated.

Rich

 

Here is the link to the actual Microsoft bulletin Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) HTH

Listed programs from a BBC link

VULNERABLE PROGRAMS
Windows XP
Windows XP Service Pack 1
Windows Server 2003
Internet Explorer 6 SP1
Office XP SP3
Office 2003
Digital Image Pro 7.0
Digital Image Pro 9
Digital Image Suite 9
Greetings 2002
Picture It! 2002
Picture It! 7.0
Picture It! 9
Producer for PowerPoint
Project 2002 SP1
Project 2003
Visio 2002 SP2
Visio 2003
Visual Studio .NET 2002
Visual Studio .NET 2003

 

Hi Rich: http://www.diamondcs.com.au/jpegscan/ Test And clean your JPEGS for free:

HTH Pilli

 

Hi Robyn,

Thanks for the link. I already had a chance to read it and unfortunately nothing is said concerning Microsoft Works Suite 2003. I'm not sure it is because there are no vulnerablities or Microsoft doesn't have a patch yet. The reason I am concerned is because the gdiscan shows vulnerabilities do exist on my system, even after all of the Windows Updates to SP2:

Rich

Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.2625.0 <-- Possibly vulnerable (Under OfficeXP only)
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2900.2180
C:\Program Files\ewido\security suite\gdiplus.dll
Version: 5.1.3102.2180
C:\Program Files\Microsoft Works\gdiplus.dll
Version: 5.1.3079.3 <-- Vulnerable version
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\$NtServicePackUninstall$\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\ServicePackFiles\i386\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
Version: 5.1.3102.2180
Scan Complete.

 

Hi Pilli,

Yes, I already downloaded my system and ran the scan. If I am clean and have SP2 with the lastest updates, do I need to be concerned with the gdiscan (that I have posted) that indicates vulnerabilities. Thanks for the help.

Rich

 

Rich, As far as I know Wayne has said that jpegscan covers all in the wild variants ATM.

 

Hi Pilli,

Thanks for the additional info. It bothers me that gdiscan is picking up vulnerable gdiplus.ddls but I guess I will have to live with it until some positive confirmation comes from Microsoft or elsewhere. Thanks again for your help.

Rich

 

Hi:

I believe if you read through this complete MS bulletin, you will find the MS Works versions affected. I have SP2 and did have to apply (download) the patch. It required my insertion of a copy of my "Works Suite" CD at one point in the installation process after the download.

http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

Hope this helps!

 

Hi Lasso,

Thanks for the link. I read the bulletin and from what I read it says that all versions of Works are _not_ affected. If this is wrong, can you point me to the specific spot in the bulletin that says Works is affected. Thanks a lot for your help.

Rich

 

Hi richrf

I have just found a tutorial on the GDI tool on another forum which may be of interest to you and the results you have posted GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability I know it will not answer your question about the Works 2003 scenario but I have found it interesting to read and to 'try' and learn from it. Hope this helps a little.

 

Hi Robyn and dvk01,

Thanks for the link. My posting above does indeed contain the listing from the gdiscan.exe program that your post is referring to. I ran the scan and there appears to be vulnerabilities but MS says not to worry. There does not appear to be any Works Suite specific updates for this problem on MS's but there are updates for Word 2002 (which is part of Works Suite 2003), but I cannot apply them. So I am just looking for positive confirmation one way or another. I will try MS again, but their staff does not appear to be really interested in looking into the issue. They just say apply the updates that are available.

Thanks for your help,
Rich

 

Hi dvk01,

Thanks a lot for taking the time to help.

I tried running the Active X Update module for Office Updates but it seems to keep failing, even when I follow all of the troubleshooting hints. I also disabled all of my security defenses (e.g. Prevx) just in case this was interfering. But I couldn't get a screen to come up after the Active X install screen came up.

If you are able to, can you provide me with the specific links of the updates for Office 2002 (XP) that you are referring to. Other XP updates seem to be working O.K. Am I suppose to see an Active X screen after I allow the Active X module to load? Thanks again.

Rich

 

Hi dvk01,

Tried the links but the installation files require Office to be loaded on my machine.

I took a look at my History file and there is an Office XP update that was completed On Oct. 24:

Critical Update for Office XP on Windows XP Service Pack 2 (KB885884)

and there is a GDI tool that was also installed:

Microsoft GDI+ Detection Tool (KB873374)

I am not sure this is enough since the gdiscan.exe says otherwise. Do you have any ideas?

Thanks for all of the help so far. This is a major pain.

Regards,
Rich

 

Yes, Word 2002.

Rich

 

Hi Derek,

Yep. I can't understand either. I've tried everything to get the darn update to work - if there is any. I rebooted with nothing in the startup besides KAV and ZoneAlarm to try to clear out any incompatibilities. I shut down all cookie blocking in Explorer and put Windows Update in the Trusted Zone. I just don't get any screen after I give the ActiveX component permission to download. Nothing else I can do now but wait and see.

Thanks a lot for helping me out.

Rich

 

Rich:

To see if your Word product has been updated, open Word and click on "about". If you see Microsoft Word 2002 (version number) SP3, then the update is complete. The SP3 at the end is the key. If I remember correctly, I had to originally allow an update or patch to Office to update to SP3, although I did not have Office installed, just the M$ Works Suite. (Mine is Works Suite 2004, but the Word component is MS Word 2002, just as yours).

Have you looked at information here:
http://support.microsoft.com/?scid=ph;en-us;3253

The update to Office SP3 will include your version of Word 2002. I believe that installation will require you to insert disk 1 of the M$ Works Suite in order to complete installation and upgrade.
(May have to lower IE security to "medium" and privacy to "medium low" to accept cookies and Active-X for install.)

Regards!

 

HI Lasso23,

Thanks for the heads up. I checked and my version of Word has not been updated. I was on the phone with MS (on my dime) for about 2 hours yesterday and they were totally useless. This is the one and only product I use from MS - and I am glad. I must have talked to reps from 6 different countries - each one working through their scripts and passing me on to the next country. Finally, the battery on my cell phone went dead and of course the person on the other end made no attempt to call me back. Really, I totally useless company - which I will try not to think about too much tonight. Maybe next week, after my qi energy has regenerated, I will make another go of talking to them.

Thanks for confirming my suspicions. I should be paying you guys money - not MS.

Rich

 

Richrf,

Are you sure that you have not already got the updates applied? The GDI scan results you posted earlier look to be from file backups taken pre-patch (which, of course, would have the vulnerability) which are there in case you want to remove the update. This is certainly the case with the $NtServicePackUninstall$ folders and the x86_Microsoft.Windows.GdiPlus_... folders look like version specific backups also (edit: see the SXS Folder thread for more on these - you could try copying your patched GdiPlus.dll file into them to ensure these older versions are never loaded, but I would suggest renaming the files currently there first just in case an application refuses to work without the unpatched files).

With regard to Windows Update, I'd suggest using the Microsoft Security Bulletin Search page instead to obtain security updates - no need to run Internet Explorer, allow ActiveX or expose your system innards to Uncle Bill's snooping. Microsoft Security Bulletin MS04-028 includes links to GDI patches for specific programs (but not Word 2002 - it only lists the OfficeXP update previously posted by Dvk01).