New GDI+ (GdiPlus.dll) released for security vulnerability

[dbMark]

Last night Microsoft released a security update for GDI+ #MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987). Windows XP and Server 2003 need it installed on the system, so use Microsoft's Windows Update. Older OS versions may be vulnerable if installed applications using the older GDI+ dll do not install the new dll. Here is the security bulletin:

http://www.microsoft.com/technet/security/bulletin/ms04-sep.mspx

While I do not know the extent to which this may affect VFP users, I am aware that recent versions of VFP do require access to the GDI+ DLL. So this information may be helpful and any clarifications to this post are appreciated.

Here is the new Platform SDK Redistributable: GDI+ gdiplus_dnld.exe dated 09/14/2004 and GDI+ version 3102.1360 where gdiplus.dll is 1,645,320 bytes dated 05/04/2004 11:53a:

http://www.microsoft.com/downloads/...9c-df12-4d41-933c-be590feaa05a&DisplayLang=en

Here is the new GDI+ detection tool gdidettool.exe to test for vulnerable Microsoft applications (though probably does not check third party software) dated 09/14/2004:

http://www.microsoft.com/downloads/...74-7142-4780-83e5-ce54401da1d1&DisplayLang=en

Of course, you will probably get what you need through Windowsupdate.microsoft.com but note these installation instructions in the accompanying redist.txt:

- For Windows XP use the system-supplied gdiplus.dll. Do not install a new gdiplus.dll over the system-supplied version (it will fail due to Windows File Protection).

- For Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, install gdiplus.dll into the private directory of the application not into the system directory.

dbMark

 

[dbMark]

As I understand it, applications created by VFP and distributed to users do not need or use GdiPlus. Only the installed development/developer program requires it.

 

[RickSchummer]

dbMark,

This is not true, run-time applications for VFP 8 and VFP 9 require the GDIPlus module to be deployed with your applications. The version installed with the VFP 9 beta is newer than the one installed with VFP 8, but is backawards compatible. I am not sure if the one released recently is the same one installed with the VFP 9 public beta, so it might be a good idea to get this patch. I do know that the one installed with VFP 9 did include security patches, but I am not sure if this is the same security patch.


_RAS

http://www.whitelightcomputing.com

VFP MVP

 

[dbMark]

Thanks, Rick. Does that mean the entire community has to repond to this?

Notice that the date of the DLL is May 4th, over 4 months ago, so it is possible that VFP9beta has it. I haven't installed it yet. Also I read in cNet's news.com that the Windows XP sp2 is not vulnerable to the flaw.

http://news.com.com/Major+graphics+flaw+threatens+Windows+PCs/2100-1002_3-5366314.html?tag=nl

Why was this delayed so long, even after XP sp2? (How'd they sneak that one through? I thought all fixes had to be announced when released. Other companies have gotten a lot of flack for releasing fixes hidden with other updates.) I'd guess that it was to develop and test the detection tool which is other security update (GDI+ patch and GDI+ tool) just released.

This link has a button for users to Check for affected Imaging Software. I have not tested whether it will check for any application including VFP 8/9 apps that use the older GdiPlus.dll. If it does then all we have to do is kindly remind users to check their systems. Yikes!

http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

 

[RickSchummer]

I am not sure I am qualified to answer any of your questions, but just because the file is dated May 2004, does not mean it ships the same day. Microsoft has extensive product testing and work with other software vendors as well to make sure this works the best it can.

As to us updating our clients, well this is always a difficult job to do.

Thanks for posting all this information.


_RAS

http://www.whitelightcomputing.com

VFP MVP