Need to purge vulnerable gdiplus.dll?
From: Jack Kohn (_at_MYWAYCAMEL.COM)
Date: Tue, 28 Sep 2004 19:08:04 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
How are people handling vulnerable versions of gdiplus.dll, vgx.dll,
mso.dll, and other attack vectors that are left on systems and not
being upgraded by available patches?
On several machines, I'm still seeing a vulnerable version of
gdiplus.dll in the C:\Winnt\system32 directory, even after I applied
all of MS's MS04-028 patches applicable to the machines. (Tom Liston's
GDI Scan (http://isc.sans.org/gdiscan.php) actually reveals a few
vulnerable files left, but it's the ones in SYSTEM32 that really worry
A regedit search shows that C:\Winnt\System32\gdiplus.dll is part of
the HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDLLs key.
The Value is the path/file name and the Data is "1." I believe that
means it's registered to one program. I'm inferring that one of the
many non-MS programs installed registered that DLL, but how does the
DLL get upgraded now?
I saw a post somewhere (sorry - can't find the reference) saying one
should not just remove/replace vulnerable DLLs lest breakage occur.
Understandable if it's a modified 3rd party version. But this seems to
be Microsoft's DLL file (version 5.1.3097.0). And in the System32
folder, this seems like a land mine waiting to go off.
Has anyone else seen this? What techniques are people using to
remove/update these DLLs? Are things breaking or going OK?
Thanks in advance.
-J. M. Kohn
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.