JPEG overflow vulnerability and Microsoft Works Suite

Discussion in 'other security issues & news' started by richrf, Oct 26, 2004.

Thread Status:
Not open for further replies.
  1. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi everyone,

    Has anyone seen a bulletin or discussion thread concerning the JPEG overflow vulnerablity and Microsoft Works?

    I have downloaded all Windows Updates for SP2 but the GDI scan still shows vulnerable dlls in the Microsoft Works directory. Microsoft tells me not to worry. But I would like verification. Any info would be appreciated.

    Rich
     
  2. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Here is the link to the actual Microsoft bulletin Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) HTH

    Listed programs from a BBC link

    VULNERABLE PROGRAMS
    Windows XP
    Windows XP Service Pack 1
    Windows Server 2003
    Internet Explorer 6 SP1
    Office XP SP3
    Office 2003
    Digital Image Pro 7.0
    Digital Image Pro 9
    Digital Image Suite 9
    Greetings 2002
    Picture It! 2002
    Picture It! 7.0
    Picture It! 9
    Producer for PowerPoint
    Project 2002 SP1
    Project 2003
    Visio 2002 SP2
    Visio 2003
    Visual Studio .NET 2002
    Visual Studio .NET 2003
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  4. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Robyn,

    Thanks for the link. I already had a chance to read it and unfortunately nothing is said concerning Microsoft Works Suite 2003. I'm not sure it is because there are no vulnerablities or Microsoft doesn't have a patch yet. The reason I am concerned is because the gdiscan shows vulnerabilities do exist on my system, even after all of the Windows Updates to SP2:

    Rich

    Scanning Drive C:...
    C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
    Version: 10.0.2625.0 <-- Possibly vulnerable (Under OfficeXP only)
    C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
    Version: 6.0.2900.2180
    C:\Program Files\ewido\security suite\gdiplus.dll
    Version: 5.1.3102.2180
    C:\Program Files\Microsoft Works\gdiplus.dll
    Version: 5.1.3079.3 <-- Vulnerable version
    C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
    Version: 5.1.2600.1106 <-- Vulnerable version
    C:\WINDOWS\$NtServicePackUninstall$\vgx.dll
    Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
    C:\WINDOWS\ServicePackFiles\i386\sxs.dll
    Version: 5.1.2600.2180
    C:\WINDOWS\ServicePackFiles\i386\vgx.dll
    Version: 6.0.2900.2180
    C:\WINDOWS\system32\sxs.dll
    Version: 5.1.2600.2180
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
    Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
    Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
    C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
    Version: 5.1.3102.2180
    Scan Complete.
     
  5. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Pilli,

    Yes, I already downloaded my system and ran the scan. If I am clean and have SP2 with the lastest updates, do I need to be concerned with the gdiscan (that I have posted) that indicates vulnerabilities. Thanks for the help.

    Rich
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Rich, As far as I know Wayne has said that jpegscan covers all in the wild variants ATM. :)
     
  7. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Pilli,

    Thanks for the additional info. It bothers me that gdiscan is picking up vulnerable gdiplus.ddls but I guess I will have to live with it until some positive confirmation comes from Microsoft or elsewhere. Thanks again for your help.

    Rich
     
  8. Lasso23

    Lasso23 Registered Member

    Joined:
    Jul 21, 2004
    Posts:
    5
    Location:
    Texas
    Hi:

    I believe if you read through this complete MS bulletin, you will find the MS Works versions affected. I have SP2 and did have to apply (download) the patch. It required my insertion of a copy of my "Works Suite" CD at one point in the installation process after the download.

    http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

    Hope this helps!
     
  9. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Lasso,

    Thanks for the link. I read the bulletin and from what I read it says that all versions of Works are _not_ affected. If this is wrong, can you point me to the specific spot in the bulletin that says Works is affected. Thanks a lot for your help.

    Rich
     
  10. Robyn

    Robyn Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    1,189
    Hi richrf

    I have just found a tutorial on the GDI tool on another forum which may be of interest to you and the results you have posted GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability I know it will not answer your question about the Works 2003 scenario but I have found it interesting to read and to 'try' and learn from it. Hope this helps a little.
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The confusion comes becaue of M$ naming procedures

    It has 2 versions of works

    M$ Works which is a stand alone application containing cut down versions of a word processor, database, spread sheet image handling etc. All these are integrtated into one application called M$ Works

    IT also has Works SUITE which has some of the bundled applications all integrated that is the database & spread sheet and acts as a central start point for the other applications which are all stand alone and can be run separately. Word, Picture IT , Encarta in some versions. M$ money and a few others

    the inbuilt word processor in Works is NOT affected

    BUT works SUITE is because that uses WORD as the word processor and WORD is affected and Works SUITE contains Picture IT which can be affected as both Word and PI use the dodgy DLL

    so if you have WORKS SUITE then you possibly are affected , but WORKS alone you are not
     
  12. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Robyn and dvk01,

    Thanks for the link. My posting above does indeed contain the listing from the gdiscan.exe program that your post is referring to. I ran the scan and there appears to be vulnerabilities but MS says not to worry. There does not appear to be any Works Suite specific updates for this problem on MS's but there are updates for Word 2002 (which is part of Works Suite 2003), but I cannot apply them. So I am just looking for positive confirmation one way or another. I will try MS again, but their staff does not appear to be really interested in looking into the issue. They just say apply the updates that are available.

    Thanks for your help,
    Rich
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I use works suite and I applied the word update

    IF you use works suite you haven't got works you have parts of office 2002(XP) and should go to office update and take all service packs and security updates
     
  14. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    The M$ support in this issue know just enough to be dangerous

    I will repeat if you use WORKS SUITE then go to OFFICE update and press on search for updates, it will downlaod an active x control then allow you to do an update

    make sure you have the works suite discs ready as you WILL Need them

    I am almost certain you need office SP2 before the gdi update will take but the update site will offer you a lot, TAKE THEM ALL

    there are quite a few updates that do affect then security of Word and not all have been widely published
     
  15. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi dvk01,

    Thanks a lot for taking the time to help.

    I tried running the Active X Update module for Office Updates but it seems to keep failing, even when I follow all of the troubleshooting hints. I also disabled all of my security defenses (e.g. Prevx) just in case this was interfering. But I couldn't get a screen to come up after the Active X install screen came up.

    If you are able to, can you provide me with the specific links of the updates for Office 2002 (XP) that you are referring to. Other XP updates seem to be working O.K. Am I suppose to see an Active X screen after I allow the Active X module to load? Thanks again.

    Rich
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    put office update in your safe zones temporarily

    Office update relies on browser referral headers & all cookies being enabled

    Unfortunately I can't send you a link to any office updates as I'm in UK and am automatically diverted to the UK site and if you try you will be blocked and diverted to the office home page
    if you use Norton internet security or Zone alarm pro or some other firewalls they block the browser referral headers and some active X controls as well so you need to allow all M$ sites in them

    You do need OFFICE SP3 before the gdi update will take though and to get SP3
     
  17. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    GDI UPDATE you can try this link to the GDI update it might work for you


    It has links from that page to SP3 which it says you need first
     
  18. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi dvk01,

    Tried the links but the installation files require Office to be loaded on my machine.

    I took a look at my History file and there is an Office XP update that was completed On Oct. 24:

    Critical Update for Office XP on Windows XP Service Pack 2 (KB885884)

    and there is a GDI tool that was also installed:

    Microsoft GDI+ Detection Tool (KB873374)

    I am not sure this is enough since the gdiscan.exe says otherwise. Do you have any ideas?

    Thanks for all of the help so far. This is a major pain. :rolleyes:

    Regards,
    Rich
     
  19. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Do you actually have WORD installed on the computer ?
     
  20. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Yes, Word 2002.

    Rich
     
  21. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Then I can't understand why the updates won't install and say you need office
     
  22. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    Hi Derek,

    Yep. I can't understand either. I've tried everything to get the darn update to work - if there is any. I rebooted with nothing in the startup besides KAV and ZoneAlarm to try to clear out any incompatibilities. I shut down all cookie blocking in Explorer and put Windows Update in the Trusted Zone. I just don't get any screen after I give the ActiveX component permission to download. Nothing else I can do now but wait and see.

    Thanks a lot for helping me out.

    Rich
     
  23. Lasso23

    Lasso23 Registered Member

    Joined:
    Jul 21, 2004
    Posts:
    5
    Location:
    Texas
    Rich:

    To see if your Word product has been updated, open Word and click on "about". If you see Microsoft Word 2002 (version number) SP3, then the update is complete. The SP3 at the end is the key. If I remember correctly, I had to originally allow an update or patch to Office to update to SP3, although I did not have Office installed, just the M$ Works Suite. (Mine is Works Suite 2004, but the Word component is MS Word 2002, just as yours).

    Have you looked at information here:
    http://support.microsoft.com/?scid=ph;en-us;3253

    The update to Office SP3 will include your version of Word 2002. I believe that installation will require you to insert disk 1 of the M$ Works Suite in order to complete installation and upgrade.
    (May have to lower IE security to "medium" and privacy to "medium low" to accept cookies and Active-X for install.)

    Regards!
     
  24. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    HI Lasso23,

    Thanks for the heads up. I checked and my version of Word has not been updated. I was on the phone with MS (on my dime) for about 2 hours yesterday and they were totally useless. This is the one and only product I use from MS - and I am glad. I must have talked to reps from 6 different countries - each one working through their scripts and passing me on to the next country. Finally, the battery on my cell phone went dead and of course the person on the other end made no attempt to call me back. Really, I totally useless company - which I will try not to think about too much tonight. Maybe next week, after my qi energy has regenerated, I will make another go of talking to them. :rolleyes:

    Thanks for confirming my suspicions. I should be paying you guys money - not MS. :p

    Rich
     
  25. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Richrf,

    Are you sure that you have not already got the updates applied? The GDI scan results you posted earlier look to be from file backups taken pre-patch (which, of course, would have the vulnerability) which are there in case you want to remove the update. This is certainly the case with the $NtServicePackUninstall$ folders and the x86_Microsoft.Windows.GdiPlus_... folders look like version specific backups also (edit: see the SXS Folder thread for more on these - you could try copying your patched GdiPlus.dll file into them to ensure these older versions are never loaded, but I would suggest renaming the files currently there first just in case an application refuses to work without the unpatched files).

    With regard to Windows Update, I'd suggest using the Microsoft Security Bulletin Search page instead to obtain security updates - no need to run Internet Explorer, allow ActiveX or expose your system innards to Uncle Bill's snooping. Microsoft Security Bulletin MS04-028 includes links to GDI patches for specific programs (but not Word 2002 - it only lists the OfficeXP update previously posted by Dvk01).
     
    Last edited: Oct 28, 2004
Loading...
Thread Status:
Not open for further replies.