Re: Microsoft's GDI Detetection Tool faults

albatross_at_tim.it
Date: 09/27/04

Next message: Juraj Bednar: "Re: New whitepaper "The Phishing Guide""

Previous message: Gerry Eisenhaur: "Re: GDI Virus in the wild."
Maybe in reply to: albatross_at_tim.it: "Microsoft's GDI Detetection Tool faults"
Next in thread: the rxmr: "Re: Microsoft's GDI Detetection Tool faults"
Reply: the rxmr: "Re: Microsoft's GDI Detetection Tool faults"
Reply: Scott Jacobson: "RE: Microsoft's GDI Detetection Tool faults"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 27 Sep 2004 17:46:24 -0000
To: bugtraq@securityfocus.com

('binary' encoding is not supported, stored as-is) In-Reply-To: <B7C2C6BA798F3C4DBDD78BEDC1F8AD5705D7D30D@nycmb01.law.sullcrom.com>

The machine is a Windows XP SP1 completly patched with Office 2000 SP 3 completly patched.

I don't have any kind of imaging programs installed (Photoshop, Picture It, etc)

The output from the SANS tool is:

Scanning...
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
   Version: 5.1.2600.0 <-- Vulnerable version
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
   Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
   Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\system32\sxs.dll
   Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
   Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
   Version: 5.1.3101.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus.dll
   Version: 5.1.3102.1360
Scan Complete.

Does anybody know what the content of the WinSxS directory under the windows installation path is?

albatross

>How did you test this (and on what platform), and why do you propose
>that the SANS tool is delivering more accurate results than the GDI tool
>delivered by Microsoft?
>
>I tested the SANS tool against a properly patched XP system on Friday
>and found it to false positive on many of the locations it said it
>wouldn't test on. Additionally, I found it to alert on MS09.dll, on an
>XP system. Our understanding from Microsoft is that MS09.DLL only needs
>to be updated to be fully compatible with an updated GDIPLUS.DLL in the
>system directory, it is not directly vulnerable.
>
>So, it would be good to know what you found.
>
>Best,
>
>Gaby
>

Next message: Juraj Bednar: "Re: New whitepaper "The Phishing Guide""

Previous message: Gerry Eisenhaur: "Re: GDI Virus in the wild."
Maybe in reply to: albatross_at_tim.it: "Microsoft's GDI Detetection Tool faults"
Next in thread: the rxmr: "Re: Microsoft's GDI Detetection Tool faults"
Reply: the rxmr: "Re: Microsoft's GDI Detetection Tool faults"
Reply: Scott Jacobson: "RE: Microsoft's GDI Detetection Tool faults"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Microsofts GDI Detetection Tool faults
... that the SANS tool is delivering more accurate results than the GDI tool ... I tested the SANS tool against a properly patched XP system on Friday ... system directory, ...
(Bugtraq)
Re: Microsofts GDI Detetection Tool faults
... > Does anybody know what the content of the WinSxS directory under the windows installation path is? ... >>that the SANS tool is delivering more accurate results than the GDI tool ... >>system directory, ...
(Bugtraq)