Need to purge vulnerable gdiplus.dll?

From: Jack Kohn (_at_MYWAYCAMEL.COM)
Date: 09/29/04

  • Next message: Rafel Ivgi, The-Insider: "Finjan Security Advisory: JPEG Exploit Used Remotely (Demonstration)"
    Date:         Tue, 28 Sep 2004 19:08:04 -0500
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    How are people handling vulnerable versions of gdiplus.dll, vgx.dll,
    mso.dll, and other attack vectors that are left on systems and not
    being upgraded by available patches?

    On several machines, I'm still seeing a vulnerable version of
    gdiplus.dll in the C:\Winnt\system32 directory, even after I applied
    all of MS's MS04-028 patches applicable to the machines. (Tom Liston's
    GDI Scan (http://isc.sans.org/gdiscan.php) actually reveals a few
    vulnerable files left, but it's the ones in SYSTEM32 that really worry
    me.)

    A regedit search shows that C:\Winnt\System32\gdiplus.dll is part of
    the HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs key.
    The Value is the path/file name and the Data is "1." I believe that
    means it's registered to one program. I'm inferring that one of the
    many non-MS programs installed registered that DLL, but how does the
    DLL get upgraded now?

    I saw a post somewhere (sorry - can't find the reference) saying one
    should not just remove/replace vulnerable DLLs lest breakage occur.
    Understandable if it's a modified 3rd party version. But this seems to
    be Microsoft's DLL file (version 5.1.3097.0). And in the System32
    folder, this seems like a land mine waiting to go off.

    Has anyone else seen this? What techniques are people using to
    remove/update these DLLs? Are things breaking or going OK?

    Thanks in advance.

    -J. M. Kohn
    Chicago

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----


  • Next message: Rafel Ivgi, The-Insider: "Finjan Security Advisory: JPEG Exploit Used Remotely (Demonstration)"

    Relevant Pages

    • Re: ActiveX control (iemenu.ocx) in Vista
      ... Your out of the box admin account on Vista is not a full rights admin account on Vista like it is on XP. ... Your admin account does not inherit rights from the built-in account like it does on XP, particularly in the System32 or Programs folder. ... I would say that there is a dependency dll a common dll on XP that is not present on Vista that the legacy application needs. ...
      (microsoft.public.windows.vista.general)
    • Re: Cannot open include file:problem with Dll header
      ... KEEP YOUR DLLs OUT OF THE SYSTEM32 FOLDER!!!!! ... have a DLL of the same name overwrite yours, but in many real environments the System32 ... Putting the DLL in the System32 folder is COMPLETELY UNRELATED TO USING A HEADER FILE! ... Nothing proposed here is even marginally acceptable programming practice. ...
      (microsoft.public.vc.mfc)
    • Re: Cannot open include file:problem with Dll header
      ... KEEP YOUR DLLs OUT OF THE SYSTEM32 FOLDER!!!!! ... have a DLL of the same name overwrite yours, but in many real environments the System32 ... Putting the DLL in the System32 folder is COMPLETELY UNRELATED TO USING A HEADER FILE! ... Nothing proposed here is even marginally acceptable programming practice. ...
      (microsoft.public.vc.mfc)
    • RE: JPEG vulnerability iissue: Defective copies of file
      ... programmers can use to force their apps to use a different version of a dll. ... or whether it can be patched by the MS patches. ... but the vendor that made the app would have to ... > The subject is that godawful JPEG vulnerability. ...
      (microsoft.public.security)
    • Re: Error 22272: Cannot load the DLL xpstar.dll...
      ... I would look for MSVCR71.DLL in SYSTEM32. ... I believe that if an entire DLL was missing, ... Reinstall the SQL Server tools? ...
      (comp.databases.ms-sqlserver)