Re: Security Update for JPEG Processing (GDI+) - I'm a little confused.

Jentle Jiant wrote:

> Running WinXP Home Edition with SP2 installed.
>
> I am all up to date on updates. But I am confused.
>
> Installed the September 2004 Security Update for JPEG Processing
> (GDI+) .
>
> It said I had applications which were affected. I expected that. I
> have several graphics applications. And it said a list of the affected
> application was at:
>
> http://www.microsoft.com/security/bu...jpeg_tool.mspx
>
> There was no list.
>
> The only applicable link for me was to Office Update, which I did.
> Included Office Service Pack 3, plus 3 security updates. Got them.
> Installed them.
>
> Here's what I'm confused about. I expected to be shown a list which
> included Paint Shop Pro, Photoshop, etc. Maybe even viewers like
> Irfanview. But there was no such list.
>
> Did I miss something? Is there some way to run the tool again that
> would give me a list?
Hi

The list is available here:

Microsoft Security Bulletin MS04-028
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
http://www.microsoft.com/technet/sec.../ms04-028.mspx


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Jentle Jiant wrote:

> On Wed, 15 Sep 2004 14:50:04 +0200, "Torgeir Bakken \(MVP\)"
> <Torgeir.Bakken-> wrote:
>
>>
>>The list is available here:
>>
>>Microsoft Security Bulletin MS04-028
>>Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
>>http://www.microsoft.com/technet/sec.../ms04-028.mspx
>
>
> Thanks so much for the link.
>
> Which leads to another question:
>
> Is only Microsoft software vulnerable to this JPEG related flaw?
>
> Do I not have to be concerned about Photoshop, etc?
Hi

Photoshop could be vulnerable, especially if you find GdiPlus.dll
in Photoshop's program folder. But I would not be to concerned,
the attack vector for Photoshop is pretty slim (it's worse for
Outlook Express and IE that needs to handle JPG's pouring in from
Internet from all types of sources).


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

Jentle Jiant wrote:

> On Wed, 15 Sep 2004 19:46:27 +0200, "Torgeir Bakken \(MVP\)"
> <Torgeir.Bakken-> wrote:
>
>>Photoshop could be vulnerable, especially if you find GdiPlus.dll
>>in Photoshop's program folder. But I would not be to concerned,
>>the attack vector for Photoshop is pretty slim (it's worse for
>>Outlook Express and IE that needs to handle JPG's pouring in from
>>Internet from all types of sources).
>
>
> Thanks. The feedback is appreciated...But... I am getting more and
> more baffled.
>
> COULD be vulnerable? No way to know? There is no fix? There is nothing
> I can do?

You could contact Adobe and ask if they have static linked GDI+ code
from the Microsoft SDK in Photoshop. If they have, Photoshop might
be vulnerable.


> I found 4 instances of "GdiPlus.dll". One is in Picture it 2002,
> ( I thought the Office Service pack 3 and Update I did was supposed to
> fix vulnerablilities in Works apps too?)

There is a separate "Picture it" update here (Windows Update and
Office Updates will not cover all the vulnerable Microsoft programs):

http://www.microsoft.com/technet/sec.../ms04-028.mspx


> The others are in the Windows/WinSx_Windows.GDPlus_ folders.
> What am I supposed to do with these?

Don't mess with them, they are protected by the system (WinSxS is
SideBySide installations), but a I would think the system defaults
to use the newest version there.


> What about other, non-Microsoft apps? Corel Draw, Picture Paint, Paint
> Shop Pro? Is there a list available of those affected ? And fixes for
> them?

I have not seen a list (but I guess someone somewhere outside Microsoft
is working on it), and if anyone of those are vulnerable, I doubt they
have a fix ready at this time.

>
> Confused and baffled.

Yeah, I know, it is a real mess


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scr...r/default.mspx

"Jentle Jiant" wrote:

> On Wed, 15 Sep 2004 21:28:53 +0200, "Torgeir Bakken \(MVP\)"
> <Torgeir.Bakken-> wrote:
>
> >Jentle Jiant wrote:
> >
> >> On Wed, 15 Sep 2004 19:46:27 +0200, "Torgeir Bakken \(MVP\)"
> >> <Torgeir.Bakken-> wrote:
> >>
> >>>Photoshop could be vulnerable, especially if you find GdiPlus.dll
> >>>in Photoshop's program folder. But I would not be to concerned,
> >>>the attack vector for Photoshop is pretty slim (it's worse for
> >>>Outlook Express and IE that needs to handle JPG's pouring in from
> >>>Internet from all types of sources).
> >>
> >>
> >> Thanks. The feedback is appreciated...But... I am getting more and
> >> more baffled.
> >>
> >> COULD be vulnerable? No way to know? There is no fix? There is nothing
> >> I can do?
> >
> >You could contact Adobe and ask if they have static linked GDI+ code
> >from the Microsoft SDK in Photoshop. If they have, Photoshop might
> >be vulnerable.
> >
> >
> >> I found 4 instances of "GdiPlus.dll". One is in Picture it 2002,
> >> ( I thought the Office Service pack 3 and Update I did was supposed to
> >> fix vulnerablilities in Works apps too?)
> >
> >There is a separate "Picture it" update here (Windows Update and
> >Office Updates will not cover all the vulnerable Microsoft programs):
> >
> >http://www.microsoft.com/technet/sec.../ms04-028.mspx
> >
> >
> >> The others are in the Windows/WinSx_Windows.GDPlus_ folders.
> >> What am I supposed to do with these?
> >
> >Don't mess with them, they are protected by the system (WinSxS is
> >SideBySide installations), but a I would think the system defaults
> >to use the newest version there.
> >
> >
> >> What about other, non-Microsoft apps? Corel Draw, Picture Paint, Paint
> >> Shop Pro? Is there a list available of those affected ? And fixes for
> >> them?
> >
> >I have not seen a list (but I guess someone somewhere outside Microsoft
> >is working on it), and if anyone of those are vulnerable, I doubt they
> >have a fix ready at this time.
> >
> >>
> >> Confused and baffled.
> >
> >Yeah, I know, it is a real mess
>
> First, I really appreciate the responses. I really have come to rely
> on the MVP's.
>
> Second, it is beyond comprehension that Microsoft does not publish a
> list of possibly affected software, and does not provide even a clue
> what to do about them.
>
> Personally I don't use any Microsoft programs when I work on Graphics.
> I don't know anyone who does. So I am apparently left to my own
> devices to fix a problem that they caused. They basically abandoned us
> if we have the temerity to use other company's software. It is their
> fautl, their OS that caused this.
>
> I find this reprehensible. I'm not one of the legions of MS haters,
> but this has got me really both ****ed of and aprehensive. JPEGs are
> the most widely distributed images. And now I have to wonder if I even
> View an image on a web page, will I somehow damage my system. The
> bulletin said there is a potential for an attack if one "opens" a
> file with the mailicious code, Does Viewing constitute opening? Not by
> my definition. But I have no reason to think that my logic would apply
> here.
>
> This TOTALLY SUCKS!
> (forgive the rant. I just had to vent!0
> Jentle Jiant
>

I installed GDI tool from windows update and Adobe Photoshop 7.0 worked at
a very slow pace thereafter. Infact i am at the point of reinstalling
photoshop, ita takes a minute to open up a 15k graphicand even longer to
create a new canvass. Photoshop 7.0 was working fine up untill i installed
GDI update.