GDI Scan

Discussion in 'other security issues & news' started by Untouchable J, Sep 25, 2004.

Thread Status:
Not open for further replies.
  1. Untouchable J

    Untouchable J Registered Member

    Joined:
    Jul 5, 2004
    Posts:
    53
    I just download the GDI scanner from:

    Gdi Scan

    and heres my results:

    C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\I386\gdiplus.dll
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\I386\SXS.DLL
    Version: 5.1.2600.1106 <-- Vulnerable version
    C:\I386\VGX.DLL
    Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
    C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.DLL
    Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
    C:\Program Files\Sonic\RecordNow!\gdiplus.dll
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
    Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes)
    C:\WINDOWS\SYSTEM32\gdiplus.dll
    Version: 5.1.3097.0 <-- Vulnerable version
    C:\WINDOWS\SYSTEM32\sxs.dll
    Version: 5.1.2600.1515
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
    Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
    Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus.dll
    Version: 5.1.3102.1360

    From what I can read I got all the updates needed from Microsoft, but I still got these detected.

    What should I do?

    -J
     
  2. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi untouchable J,

    I am having a similar problem here.
     
  3. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Same here. Glad you've started a new thread. I was about to start one.

    I got all the latest Micro$oft patches etc., but when I scanned using GDI Scan ... I still managed to find several Vulnerables and several Possible Vulnerables.

    Please advice as to how to tackle this problem ... anyone?

    Cheers

    o_O
     
  4. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    The previous thread has been closed, so I will post in this thread since it is directly relevant. (The Update Alerts forum is for just that purpose update alerts, not ongoing discussion of related issues. Learn something new everyday here!)

    Hopefully the mods will link the closed thread to this one so it can be continued here.
     
  5. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Done.;)



    snowbound
     
  6. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Acording to the FAQ on the GDIscan page:
    If these are merely left over junk that we are not going to uninstall anyway, I say we delete them.
    Can anyone confirm that these directories are not needed?
    At least we should delete the vulnerable components from those directories, right?
    Or maybe overwrite them with the version that is not vulnerable?
     
    Last edited: Sep 25, 2004
  7. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    As Nick very helpfully pointed out in the other thread:

    Be sure to expand and read the Frequently asked questions (FAQ) related to this security update section, it is filled with info.
     
  8. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    There are several troubling areas of the MS bulletin in the FAQ:

    I emboldened the troubling areas:

    Of course updating those applications would be best, but even the giant MS didn't update all the old versions of its software leftover. A malware could possibly target those specific left over files. And for the small to medium sized software developers, they are not likely to react swiftly enough before this exploit is in full swing. I think a safe enough way to test would be to rename the vulnerable gdiplus.dll to gdiplus.dll.old then copy the new version to the same directory. Test the program to see if it works.
    What do you think?
     
  9. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    I think it's not a good idea to delete them until we are absolutely sure what they do since they are somewhere in the Registry keys ...

    I am just waiting for some confirmation from experts.

    Some of the vulnerabilities and possibly vulnerables are found here ... all of them version 5.1.2600.0 whatever that is ...

    C:\I386\[files or whatever]
    C:\WINDOWS\SYSTEM32\[files or whatever]
    C:\WINDOWS\LastGood\System32\[files or whatever]

    So there you go ... don't know what to do exactly.


    o_O :(
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I agree chew.
    I think it would be safer to rename the vulnerable ones rather then delete them.
    And safer still to learn from people more knowledgeable! :D
     
  11. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Not even sure if renaming will help.

    Infact I don't even know how to rename them and to what name to use ...

    o_O :D
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    As far as how to rename a file, simply locate the file in windows explorer, right click it, select rename from the context menu, and type in the new file name.

    See the bottom of post 8 for the reason why to rename. At least if it doesn't work, you could delete the new copied over version and rename the .old version back to its original name.

    I will wait for more opinions on the issue.
     
  13. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Add this to the confusion: I scanned with Microsoft GDI+ Detection Tool and got the result below. Yet Windows Update has no critical updates for me.

    Nick
     

    Attached Files:

    • gdi.gif
      gdi.gif
      File size:
      9.5 KB
      Views:
      462
  14. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Devinco

    Yes rename will be a good idea if that's the solution. I guess I just have to keep inform of this ...

    By the way ... which post 8 are you referring to? Link please?

    Cheers

    Chew

    P/s: Windows Update told me I got all the patches but the scan still showed I am vulnerable ...
     
  15. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    chew,

    Post 8 of this thread.


    Nick,

    I think we are in big trouble! :eek:
     
  16. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    you need to go to the microsoft office updates page to get the fix for the GDI detected software. here
     
  17. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Hi BigC,

    That's just it, we are fully patched. SP2 and all Office Updates and still there are vulnerable files left.

    troubling...
     
  18. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    you need to go to the microsoft office updates page to get the fix for the GDI detected software. here orhere
     
  19. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    Thanks Devico. Got it.

    I think everyone will be in deep trouble if they don't have XP SP2 at all.

    As far as I know there are many who are still on XP and XP SP1. Worst still they don't even know their pcs are infected or will be infected by worms/trojans/adware etc.,

    For example, my friend thought his pc was running normal when it kept directing his home page to some other sites ... he got Browser Hijack ... hmm ...

    So I think if this problem is not solve within the one week or so I think there might be an outbreak of related virus on the net ...

    Chew
     
  20. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Not running Office here.

    Nick
     
  21. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I got the same result that Nick got with gdidettool.exe.

    Office2003 Pro completely updated at Officeupdate site.
    XP Pro SP2 completely updated at windowsupdate site.

    The GDIscan tool from ISC still shows vulnerable and possibly vulnerable files.
    In fact, MS own GDI tool says it is still vulnerable AFTER all updates.

    This sucks.
     
    Last edited: Sep 25, 2004
  22. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I didnt have office but the office xp update fixed it. but it is good that it's available at win. updates, much easier to get to.
     
  23. chew

    chew Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    515
    Location:
    GeordieLand.
    D'oh! just checked the Office Update and was told I needed to update to Office XP SP3. So now I need to dig out my Office XP CD installation/registration key somewhere in my box.

    I just called my friend to inform him but in his case his is a bit different. He told me he got it somewhere but I think otherwise. I think his office XP CD is a bit dodgy. So in that case how's he suppose to patch? Do you think it will work for him?

    o_O

    P/s: BigC if you are not running Office ... what are you running? OpenOffice?
     
  24. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    chew,

    In order to be as protected as MS says you should be, you need SP2 for windows and you need the office updates.

    I am not sure what you mean by dodgy, do you mean cracked?
    For Office 2003, there is a GDI flaw patch. There are two versions, one that doesn't need the CD.
    There may be one for OfficeXP as well.
     
  25. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    It is definately a good idea to update to both SP2 and the Office Updates.
    This probably closes the biggest infection holes.
    However, there are still vulnerable GDI files left after all the updates (from both MS and other vendors).
    These files could possibly be used in this exploit or a related exploit.
    MS should have at least cleaned up their own left over vulnerable stuff.
     
Thread Status:
Not open for further replies.