KB833987 vs. KB833989

I'm currently in the middle of trying to decipher Microsoft's GDI+ security
flaw. Not the flaw itself, mind you, but what I'm supposed to do to patch
it.

For example, I've installed the Microsoft GDI+ Detection Tool (KB873374),
and all it does is run a webpage
http://www.microsoft.com/technet/sec.../MS04-028.mspx which gives
zero indication of what on my machine is actually broken, and rather links
to a list of everything that Microsoft knows is broken. This same list which
I can get by going to that webpage from another machine that didn't install
the GDI+ Detection Tool.

But at least the GDI+ Detection Tool doesn't show up as a critical update
anymore.

Now, on that webpage above, it makes reference to KB833989, which seems to
be an IE SP1 update. However, if this is indeed a critical update, then why
doesn't this KB appear as one inside Windows Update? Instead, I have
downloaded KB833987, which is listed as a Windows XP security update, and it
is critical. Am I to believe the GDI+ bug which affects IE isn't considered
critical?

I hope that this situation is straightened out before too many malware
writers start taking advantage of it. As soon as MS straightens it up, I'll
tell my friends that it's safe to use Windows Update once again.

This might help:

Internet Explorer 6 is only supported when using Windows XP, Windows XP
Service Pack 1, and Windows Server 2003. Internet Explorer 6 on Windows XP,
Windows XP Service Pack 1, and Windows Server 2003 uses the operating system
version of the vulnerable component. When the Windows XP, Windows XP Service
Pack 1, and Windows Server 2003 operating system update is installed,
Internet Explorer 6 is not vulnerable. Windows XP Service Pack 2 includes
Internet Explorer 6 Service Pack 2 and is not vulnerable to this issue.
Internet Explorer 6 is no longer in support on other operating systems and
may be vulnerable to this issue on those operating systems. Customers who do
not use Windows XP, Windows XP Service Pack 1, or Windows Server 2003 and who
use versions of Internet Explorer 6 that are earlier than Internet Explorer 6
Service Pack 1 should upgrade to Internet Explorer 6 Service Pack 1 and then
install the Internet Explorer 6 Service Pack 1 security update provided in
this security bulletin.


"The Number 23" wrote:

> I'm currently in the middle of trying to decipher Microsoft's GDI+ security
> flaw. Not the flaw itself, mind you, but what I'm supposed to do to patch
> it.
>
> For example, I've installed the Microsoft GDI+ Detection Tool (KB873374),
> and all it does is run a webpage
> http://www.microsoft.com/technet/sec.../MS04-028.mspx which gives
> zero indication of what on my machine is actually broken, and rather links
> to a list of everything that Microsoft knows is broken. This same list which
> I can get by going to that webpage from another machine that didn't install
> the GDI+ Detection Tool.
>
> But at least the GDI+ Detection Tool doesn't show up as a critical update
> anymore.
>
> Now, on that webpage above, it makes reference to KB833989, which seems to
> be an IE SP1 update. However, if this is indeed a critical update, then why
> doesn't this KB appear as one inside Windows Update? Instead, I have
> downloaded KB833987, which is listed as a Windows XP security update, and it
> is critical. Am I to believe the GDI+ bug which affects IE isn't considered
> critical?
>
> I hope that this situation is straightened out before too many malware
> writers start taking advantage of it. As soon as MS straightens it up, I'll
> tell my friends that it's safe to use Windows Update once again.
>
>
>

Cool thanks. That's exactly what I was looking for. Kind of a shame they
didn't number the IE6 fix the same as the WXP fix, since they target the
same DLL, and also show IE6 as an affected component on the useless page
that follows the GDIDoNothingAtAllDetectionTool.

Brian


"TheBFG" <> wrote in message
news:B6958F0A-9B68-498F-91F0-...
> This might help:
>
IE6 is only supported on WXP, WXPSP1, and WS03. IE6 on WXP, WXPSP1, and WS03
use the OS of the vulnerable component. When the WXP, WXPSP1, and WS03 OS
update is installed, IE6 is not vulnerable. WXPSP2 includes IE6SP2 and is
not vulnerable to this issue. IE6 is no longer in support on other OSes and
may be vulnerable to this issue on those OSes. Customers who do not use WXP,
WXPSP1, or WS03 and who use versions of IE6 that are earlier than IE6SP1
should upgrade to IE6SP1 and then install the IE6SP1 security update
provided in this security bulletin. IMHOWYSIWYGMSBS=TRUE
>
>
> "The Number 23" wrote:
>
> > I'm currently in the middle of trying to decipher Microsoft's GDI+
security
> > flaw. Not the flaw itself, mind you, but what I'm supposed to do to
patch
> > it.
> >
> > For example, I've installed the Microsoft GDI+ Detection Tool
(KB873374),
> > and all it does is run a webpage
> > http://www.microsoft.com/technet/sec.../MS04-028.mspx which
gives
> > zero indication of what on my machine is actually broken, and rather
links
> > to a list of everything that Microsoft knows is broken. This same list
which
> > I can get by going to that webpage from another machine that didn't
install
> > the GDI+ Detection Tool.
> >
> > But at least the GDI+ Detection Tool doesn't show up as a critical
update
> > anymore.
> >
> > Now, on that webpage above, it makes reference to KB833989, which seems
to
> > be an IE SP1 update. However, if this is indeed a critical update, then
why
> > doesn't this KB appear as one inside Windows Update? Instead, I have
> > downloaded KB833987, which is listed as a Windows XP security update,
and it
> > is critical. Am I to believe the GDI+ bug which affects IE isn't
considered
> > critical?
> >
> > I hope that this situation is straightened out before too many malware
> > writers start taking advantage of it. As soon as MS straightens it up,
I'll
> > tell my friends that it's safe to use Windows Update once again.
> >
> >
> >