Microsoft Graphics Bug Threatens Systems

Discussion in 'other security issues & news' started by ronjor, Sep 14, 2004.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,745
    Location:
    Texas
    eWEEK


     
  2. Marja

    Marja Honestly, I'm not a bot!!

    Joined:
    Mar 8, 2004
    Posts:
    4,553
    Location:
    In the Vast Fields of My Mind
    Thanks for the info, Ronjor, I haven't d/l 'd SP2 yet, waiting for my cd(3 weeks?). Now not sure if I should wait? Anybody know?
    I am always looking for pics and gifs, when I try to update, it says it has problems, so no joy there.


    Thanks!
    Marja:cool:
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,745
    Location:
    Texas
  4. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    Hi ronjor,

    The scanning tool was on Win Update as of sometime yesterday afternoon or evening. I was suprised to see it listed as a critical upgrade for my XP-Home (SP2 is already installed) even though someone over at avast said it wasn't necessary for SP2 users.

    It auto-ran after installing, and simply reported that I had no vulnerable MS products onboard (I don't use Office etc.).
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,745
    Location:
    Texas
    Mike,

    This is what I got when I went WU. Same as you.

    High Priority Updates
    Microsoft Corporation - Windows XP family

    Microsoft GDI+ Detection Tool (KB873374)

    It found nothing I needed. I only have readers on my computer for Word, Excel, and Powerpoint.
     
  6. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    This one security bulletin contains lots of patches for lots of windows versions and applications. We need to apply a dozen of patches for this one vulnerability alone.
    Strange behaviour. How do these MS programmers build their objects?
    I can imagine different patches for Win en Win64bit, but why is this one function built in in every MS application and why is it not a shared component. This patching is costing us lots and lots of money (collecting the patches, testing the patches, packaging patches).

    And what bothers me too: Trustworthy Computing... no more buffer overflows in MS products. When will this project start?

    Glad I'm not using lots of Windows at home :ninja:
     
  7. SvS

    SvS Security Expert

    Joined:
    Aug 28, 2004
    Posts:
    57
    As far as GDI+ is concerned, this technology is part of Windows XP and 2003 so a single patch addresses this problem for all applications using GDI+ on these platforms.

    For older versions of Windows a redistributable exists which needs to be deployed with every application using GDI+, to avoid version problems Microsoft's recommends to place gidiplus.dll into the application directory when needed (and was in fact shipping updated versions of gdiplus.dll with different products where the file available for third-party developers remained unchanged). This is where this multi-product-patch-nightmare originates from, by following their own recommendations every product used it's own copy of gdiplus.dll so every products needs to be patched now. T

    he side-by-side installation capabilities of XP and 2003 add additional confusion here - patching the OS version of gdiplus.dll should be enough and should cover all products using it, however applications may still use their own version of this file or may request a specific version of it, so product specific patches may still be needed. This may be the end of problems due to file version conflicts but actually such situation is difficult to handle when it comes to problems like this.
     
Loading...
Thread Status:
Not open for further replies.