24 September 2004

JPG vulnerability

First, go here and read the bad news:

http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

Next, go here, and grab the little tool:

http://isc.sans.org/gdiscan.php

Upon running the tool, you will get an output will look something like this:

Scanning...
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll Version: 5.1.3102.1360
C:\Program Files\Common Files\Microsoft Shared\Ink\gdiplus.dll Version: 5.1.3097.0 <-- Vulnerable version
Scan Complete.

If you have no red entries, yer good to go. Now here's the kicker--the scanner may find a copy somewhere that actually is the bad old version (see above sample). You may also notice after reading the Technet bulletin that Microsoft will only tell you which of their products are affected. So guess what....you have no way of knowing which app you have (or had) installed on your box put that copy of gdiplus.dll there. In the example above, I simply copied the good version over the bad version...nothing broke, but you can get away with that in Windows 2000....Windows XP File Protection may or may not like that action--your mileage may vary. AV software may put up a fuss, too.

Good luck.
Dean

No comments: