Is 833987 truly installed if KB log has "failed" & trendmicro dete

System is Windows XP SP1 (WinNT 5.01.2600) regularly updated
Internet Explorer v6.00 SP1 (6.00.2800.1106)
I do not have Office.

How can I ensure this update is truly installed?

http://housecall65.trendmicro.com/ repeatedly reports my PC has
this vulnerability:
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

I use windows.update nearly everyday and apply all the critical fixes.
Of the optional fixes I apply only those relevant to what I want.

However, according to C:\Windows\ I have this fix already:
Sep 18 2004 $NtUninstallKB833987$
KB833987.log

KB833987.log shows "Update.exe started at 9/18/2004 at 20:53:51"
followed by several failed lines, but it's very hard for me to tell
whether it worked or not. I can post whole log if needed.

To make sure, on 2006 April 30 I redownloaded KB833987 from microsoft
and reapplied it but the same or similar failed lines
appear appended to KB833987.log.

How can I tell whether I really have the vulnerability?
Has either or both trendmicro and microsoft got it wrong here?

My PC is clean according to all of these:
AVG
Lavasoft Ad-Aware
Spybot S&D
Xblock
Microsoft Antispyware

Also for a long time I have only used IE for windows.update
(via the IE tab in Firefox).
I do not have KB833988 nor KB833989 installed.

I have already read these:
http://support.microsoft.com/default...kb;en-us;83398
http://www.microsoft.com/athome/secu...jpeg_tool.mspx

I dowloaded the 833987 update fro
http://www.microsoft.com/downloads/d...displaylang=en

I compared these files against those listed in MS04-028.mspx for WinXp SP1:
1700352 Sep 05 2001 gdiplus.dll
700928 Aug 20 2004 sxs.dll

Both now and before March 2006 Baseline Security Analyzer 1.2.1
told me the tool could not confirm this update as installed:
MS04-028 see 306460
MBSA 2.0 does not report the note.

I have read and reread 306460 and my eyes still glaze over.
All I can make out is that MBSA 1.2 will produce a note for MS04-028
but does not explain why or what the user is to do.

What should I do?

Wikibob <> wrote:

> System is Windows XP SP1 (WinNT 5.01.2600) regularly updated
> Internet Explorer v6.00 SP1 (6.00.2800.1106)
> I do not have Office.
>
> How can I ensure this update is truly installed?

By comparing the version number of C:\WINDOWS\System32\gdiplus.dll with the
table of version numbers listed when you expand "Frequently asked questions
(FAQ) related to this security update" in
http://www.microsoft.com/technet/sec.../ms04-028.mspx

Another way of resolving this is to install XP Service Pack 2, which has
many other security fixes and advantages.

> http://housecall65.trendmicro.com/ repeatedly reports my PC has
> this vulnerability:
> Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution
> (833987)

I cannot speak for Trend Micro, but this utility might be picking up other
copies of gdiplus.dll installed as part of other applications. Try
searching your entire hard disk for instances of a file named "gdiplus.dll".
If you find copies of it other than in C:\WINDOWS\System32\, then you should
refer to the vendors of the applications with which it was bundled for their
update recommendations.

> I compared these files against those listed in MS04-028.mspx for
> WinXp SP1: 1700352 Sep 05 2001 gdiplus.dll
> 700928 Aug 20 2004 sxs.dll

That version of gdiplus.dll is too old, and will be vulnerable. Make sure
it is not marked "read-only", otherwise the updater might not be able to
replace it.

What were the error messages you saw?

--
Robin Walker [MVP Networking]

"Robin Walker" wrote:

> Wikibob <> wrote:
> > How can I ensure this update is truly installed?
>
> By comparing the version number of C:\WINDOWS\System32\gdiplus.dll with the
> table of version numbers listed when you expand "Frequently asked questions
> (FAQ) related to this security update" in
> http://www.microsoft.com/technet/sec.../ms04-028.mspx

Thanks, I had overlooked that. I've since checked each gdiplus on my PC
before and after running HP Software Update. That fixed some of them. Details
below.

> Another way of resolving this is to install XP Service Pack 2, which has
> many other security fixes and advantages.

Maybe , when I understand what I have to do to prepare for SP2 better. I've
seen your post with helpful links but I first need to get backups and resolve
a BIOS issue.

> I cannot speak for Trend Micro, but this utility might be picking up other
> copies of gdiplus.dll installed as part of other applications. Try
> searching your entire hard disk for instances of a file named "gdiplus.dll".
> If you find copies of it other than in C:\WINDOWS\System32\, then you should
> refer to the vendors of the applications with which it was bundled for their
> update recommendations.

And indeed there were long forgotten HP folders with old gdiplus files.
I ran HP Software Update, which failed due to some checkksum error (I will
chase HP about this), then I ran GdiplusUpgrade_Rev1.1.exe from HP. Strangely
this
updated both HP files (expected) and C:\Windows\System32\gdiplus.dll
(unexpected but welcome).

> > ...snipped old gdiplus.dll details...

> That version of gdiplus.dll is too old, and will be vulnerable. Make sure
> it is not marked "read-only", otherwise the updater might not be able to
> replace it.

It was Archive. There was one readonly gdiplus, but in a HP folder, now all
are readable. A MBSA 2 scan tells me "No security updates are missing." and
nags me to update to SP2 and also "No incomplete software update
installations were found."
I then checked the file versions of each gdiplus and found only 3 were unfixed
(ie. vulnerable according to the ms04-028.mspx FAQ):

C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS
18/08/2001 14:00 1,700,352 GDIPLUS.DLL 5.1.3097.0 (xpclient.010817-1148)

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.0.0_x-ww_8d353f13
18/08/2001 14:00 1,700,352 GdiPlus.dll 5.1.3097.0 (xpclient.010817-1148)

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.10.0_x-ww_712befd8
29/08/2002 03:41 1,703,936 GdiPlus.dll 5.1.3101.0 (xpsp1.020828-1920)

The first must be the original XP file, and I'm hoping the WinSxS ones can
be ignored?

> What were the error messages you saw?

The "failed" and "error" messages in C:\WINDOWS\KB833987.log were (I removed
the *** and used ... to show other removals):

================== Update.exe started at 9/18/2004 at 20:53:51

Service Pack started with following command line: -q /Z -ER

DoInstallation: CleanPFR failed: 0x2
....
FetchSourceURL: SetupOpenInfFile Failed to open file:
c:\c4add7d5314644079999eb5ad1\sp2\update\update.ur l

DoInstallation: FetchSourceURL for
c:\c4add7d5314644079999eb5ad1\sp2\update\update.in f Failed

....
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102

BuildCabinetManifest:SetupOpenInfFile failed with error INVALID_HANDLE_VALUE
....
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
....
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
....
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
....
[KB833987.log]

2006/4/30 23:48:1.819

================== Update.exe started at 4/30/2006 at 23:48: 1
....
FetchSourceURL: SetupOpenInfFile Failed to open file:
c:\ceb7cb3995caa0778b286dc2df90df\sp2\update\updat e.url

DoInstallation: FetchSourceURL for
c:\ceb7cb3995caa0778b286dc2df90df\sp2\update\updat e.inf Failed

LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102

BuildCabinetManifest:SetupOpenInfFile failed with error INVALID_HANDLE_VALUE
....
LoadFileQueues: SetupGetSourceFileLocation for halacpi.dll failed: 0xe0000102
....

end of the log

> --
> Robin Walker [MVP Networking]
>

I will now look at the GDI+ detection tool from KB873374 to double check.

Wikibob <> wrote:
>
Replying to myself , ( Message-ID:
<D8E0A646-24E9-4BA2-8676-> replying to
Robin Walker's reply Message-ID: <uDb#> ),
as I'm unsure if these replies are threading right.

I have now downloaded the GDI+ detection tool from KB873374,
ran it and it quickly told me I had Windows Software with
the vulnerability, but did not tell me which.

I clicked Yes, for I would like to learn more,
and it brought me to

http://www.microsoft.com/athome/secu...jpeg_tool.mspx

which told me to go to
http://update.microsoft.com/microsof...6/default.aspx

Which is catch-22 for me, as I run windows update nearly every day
and it never offered the GDIPLUS fix since 2004.

Anyway I clicked the link and clicked Express, and that listed only SP2.

I decided to Review my update history, and I found:
Security Update for Windows XP (KB833987) with a green tick
on 18 September 2004

I decide to try the Office update, which tells me
Your Office products are up-to-date!
See list of products supported by Office Update

What should I do now, given that I do not want to be forced into SP2 yet?

Thanks,

"Wikibob" wrote:
> Wikibob <> wrote:
> Replying to myself , ( Message-ID:
> <D8E0A646-24E9-4BA2-8676-> replying to
> Robin Walker's reply Message-ID: <uDb#> ),
> ...

Another reply to myself, and could someone please check my gdiplus scan log
below?

At last, I found a tool that tells me which of my gdiplus.dll's are
vulnerable!

From the Internet Storm Centre:
http://isc.sans.org/gdiscan.php

Here is my scan, could some expert tell me which one(s) might be causing
the GDI+ detection tool (gdidettool.exe) to keep telling me I have
a vulnerability?
I'm not worried about the \I386\ one, but what about the ServicePackFiles?

Scanning Drive C:...
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\system32\gdiplus.dll
Version: 5.1.3102.1355
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.1579
C:\WINDOWS\WinSxS\InstallTemp\72167279\GdiPlus.dll
Version: 5.1.3102.1360
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus.dll
Version: 5.1.3102.1360
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall
purposes)
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
Version: 5.1.2600.0 <-- Vulnerable version
C:\WINDOWS\$NtServicePackUninstall$\vgx.dll
Version: 6.0.2600.0 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1
only)
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\ServicePackFiles\i386\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6
SP1 only)
C:\WINDOWS\$NtUninstallKB841356$\sxs.dll
Version: 5.1.2600.1515
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6
SP1 only)
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL
Version: 11.0.6412.0
C:\Program Files\HP\Digital Imaging\HP Print Screen\gdiplus.dll
Version: 5.1.3102.1360
C:\Program Files\HP\hpcoretech\comp\gdiplus.dll
Version: 5.1.3102.1360
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL
Version: 6.0.3266.0
Scan Complete.

Thanks,

Wikibob <> wrote:

> I then checked the file versions of each gdiplus and found only 3
> were unfixed (ie. vulnerable according to the ms04-028.mspx FAQ):
>
> C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS
> 18/08/2001 14:00 1,700,352 GDIPLUS.DLL 5.1.3097.0
> (xpclient.010817-1148)
>
> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.0.0_x-ww_8d353f13
> 18/08/2001 14:00 1,700,352 GdiPlus.dll 5.1.3097.0
> (xpclient.010817-1148)
>
> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_65 95b64144ccf1df_1.0.10.0_x-ww_712befd8
> 29/08/2002 03:41 1,703,936 GdiPlus.dll 5.1.3101.0
> (xpsp1.020828-1920)
>
> The first must be the original XP file, and I'm hoping the WinSxS
> ones can be ignored?

Yes, for the correct operation of Windows, you should *not* update these
three gdiplus.dll files.

--
Robin Walker [MVP Networking]