RE: Detecting new Windows .jpeg exploit

From: Bowes, Ronald (EST) (
Date: 09/16/04

  • Next message: Roger A. Grimes: "RE: Detecting new Windows .jpeg exploit"
    To: "'H Carvey'" <>,
    Date: Thu, 16 Sep 2004 16:16:35 -0500

    > Another option would be to obtain file version information from
    > gdiplus.dll on an unpatched machine, and then compare that to that from a
    > patched machine. Then write a Perl script to connect to each system as a
    > domain admin and pull the file version information from that file. Any
    > system on which the file versioning information does not equal what you
    > found on the patched system should be considered vulnerable.

    That's what I was looking for, the actual file that we can fingerprint on
    the machines so that we can tell.

    Sorry if I used some confusing language, even I wasn't entirely sure what I
    was thinking when I wrote that.


    Computer Forensics Training at the InfoSec Institute. All of our class sizes
    are guaranteed to be 12 students or less to facilitate one-on-one
    interaction with one of our expert instructors. Gain the in-demand skills of
    a certified computer examiner, learn to recover trace data left behind by
    fraud, theft, and cybercrime perpetrators. Discover the source of computer
    crime and abuse so that it never happens again.

  • Next message: Roger A. Grimes: "RE: Detecting new Windows .jpeg exploit"