Re: Microsoft's GDI Detetection Tool faults

From: the rxmr (the.rxmr_at_gmail.com)
Date: 09/28/04

  • Next message: Advisories: "Vignette Application Portal Unauthenticated Diagnostics" 
    Date: Tue, 28 Sep 2004 13:58:24 -0500
To: bugtraq@securityfocus.com

    On 27 Sep 2004 17:46:24 -0000, albatross@tim.it <albatross@tim.it> wrote:
    > In-Reply-To: <B7C2C6BA798F3C4DBDD78BEDC1F8AD5705D7D30D@nycmb01.law.sullcrom.com>
    >
    > The machine is a Windows XP SP1 completly patched with Office 2000 SP 3 completly patched.
    >
    > I don't have any kind of imaging programs installed (Photoshop, Picture It, etc)
    >
    > The output from the SANS tool is:
    >
    > Scanning...
    >
    > C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
    >
    > Version: 5.1.2600.0 <-- Vulnerable version
    >
    > C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
    >
    > Version: 5.1.2600.1106 <-- Vulnerable version
    >
    > C:\WINDOWS\ServicePackFiles\i386\sxs.dll
    >
    > Version: 5.1.2600.1106 <-- Vulnerable version
    >
    > C:\WINDOWS\system32\sxs.dll
    >
    > Version: 5.1.2600.1515
    >
    > C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
    >
    > Version: 5.1.3097.0 <-- Vulnerable version
    >
    > C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
    >
    > Version: 5.1.3101.0 <-- Vulnerable version
    >
    > C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus.dll
    >
    > Version: 5.1.3102.1360
    >
    > Scan Complete.
    >
    > Does anybody know what the content of the WinSxS directory under the windows installation path is?
    >
    > albatross
    >
    >
    >
    >
    > >How did you test this (and on what platform), and why do you propose
    >
    > >that the SANS tool is delivering more accurate results than the GDI tool
    >
    > >delivered by Microsoft?
    >
    > >
    >
    > >I tested the SANS tool against a properly patched XP system on Friday
    >
    > >and found it to false positive on many of the locations it said it
    >
    > >wouldn't test on. Additionally, I found it to alert on MS09.dll, on an
    >
    > >XP system. Our understanding from Microsoft is that MS09.DLL only needs
    >
    > >to be updated to be fully compatible with an updated GDIPLUS.DLL in the
    >
    > >system directory, it is not directly vulnerable.
    >
    > >
    >
    > >So, it would be good to know what you found.
    >
    > >
    >
    > >Best,
    >
    > >
    >
    > >Gaby
    >
    > >
    >
    >

    From an earlier discussion on Bugtraq:

    http://lists.sans.org/pipermail/list/2004-September/062106.html

    From the page:

    "from what I understand the WinSxS folder is a housing area for
    shared .dll's to eliminate dll hell."

    Here's a couple more links:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/sbscs/setup/assembly_searching_sequence.asp

    http://www.google.com/search?as_q=&num=10&hl=en&ie=UTF-8&btnG=Google+Search&as_epq=WinSxS&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_nlo=&as_nhi=&as_occt=any&as_dt=i&as_sitesearch=&safe=images 

    -- 
AH-TAH-HA-NE DI BAH-HAS-TKIH HANE-AL-NEH
  • Next message: Advisories: "Vignette Application Portal Unauthenticated Diagnostics"

    Relevant Pages

    • RE: Microsofts GDI Detetection Tool faults
      ... that the SANS tool is delivering more accurate results than the GDI tool ... I tested the SANS tool against a properly patched XP system on Friday ... system directory, ...
      (Bugtraq)
    • Re: Microsofts GDI Detetection Tool faults
      ... I don't have any kind of imaging programs installed (Photoshop, Picture It, etc) ... The output from the SANS tool is: ... >that the SANS tool is delivering more accurate results than the GDI tool ... Our understanding from Microsoft is that MS09.DLL only needs ...
      (Bugtraq)