CKIFTC said:
I am running XP SP2. When I visit Windows Update I am
told that I should install the GDI+ security update.
However, reading further into the issue tells me that SP2
users are not affected and only should update Office (if
installed).
I guess I am curious why Windows Update is telling me I
need the update - if I am using SP2? Can't Windows
Update detect this?
Hi
You will also need to upgrade the .Net Framework if you have
anything older than the last Service Pack version for the .Net
Framework installed (goes for both v1.0 and v1.1).
Also, there are other cases where you can be vulnerable, even if
you have WinXP SP2 installed, and have updated the .Net framework
and any Office product. The quote below is relevant for SP2 as
well.
Microsoft Security Bulletin MS04-028
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx
From the "Frequently asked questions (FAQ) related to this security
update" section in the link above:
<quote>
Could I still be vulnerable even after I have installed all
required security updates?
Yes. There are cases in which you might be vulnerable to this
issue even after you install the required operating system update
and the updates for programs or components that are listed in the
Affected Software and Affected Components sections of this
bulletin. The following examples document some of the possible
cases:
• You may have installed a third-party program that has installed
the affected component. If the Gdiplus.dll file is installed on
your system, you may have to install an update for that program.
It is possible that not every program that installs this file is
vulnerable to this issue because it may not use the Gdiplus.dll
file to process JPEG images. However, only the manufacturer of
that program can make that determination. This could include third
party applications that were developed using Visual Studio .NET
2002, Visual Studio .NET 2003, or the Microsoft .NET Framework 1.0
SDK Service Pack 2. Typically, even if the affected component is
installed on a system that is running Windows XP or Windows Server
2003, the program still uses the operating system version of the
affected component.
• On Windows XP or Windows Server 2003, it is possible for a
developer or administrator to force a program to bypass the
vulnerable operating system component and instead use a version
that they supply. This feature is not likely to be used in most
circumstances. You may want to consider contacting the third-party
application manufacturer for an updated version of their program,
if they verify that their program uses this bypass feature. Steps
to determine if you are using such a program are located in
Microsoft Knowledge Base Article 835322.
In these cases, you would only be vulnerable to this issue while
using the affected program to process images. Installing the
operating system update and the updates for the affected programs
and components listed in this bulletin will help reduce the chance
that you will be attacked from the most common attack vectors an
attacker could use to exploit this vulnerability.
</quote>
