Re: Need to purge vulnerable gdiplus.dll?
From: Threlkeld, Richard (richardt_at_QUALCOMM.COM)
Date: Wed, 29 Sep 2004 09:34:17 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
"I have received in excess of 10 responses from people who have, one way
or another, been replacing vulnerable versions of gdiplus.dll (anywhere
they find them) with the updated version. *They* say they have not
encountered any problems.
In this regard, the safest approach mentioned has been to rename the old
dll to gdiplus.old, thereby preserving it in case you find something
that does break (this advice according to Paul Wobbe)."
I raised this same question to the MSRC as to why they didn't just
create a tool to scour the system for vulnerable versions of the library
and their response was "Because of the self healing nature of MSI when
you replace a file like this without registering the new version with
the application, when it actually gets used in the future the
application will do a repair and replace it with the old vulnerable
file". So although some people might have renamed and replaced the file
that doesn't mean that they have accessed the features of that
application which use the gdiplus.dll library. Additionally if you are
renaming the file and replacing it the application might be updating the
location in the registry with the renamed file so in essence it is still
using the vulnerable library.
I would strongly recommend that people use the Microsoft hotfix
installers as Russ said because they are the supported method of
patching by Microsoft and you could have problems later in life that you
are unable to pinpoint when everyone forgets about this round of
Microsoft MVP - SMS
-- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --