GDI+ Security

HRon · Sep 17, 2004

After running Microsoft's GDI+ update, I did a search for
the gdiplus.dll file. I found three different version
installed - 5.1.3097, 5.1.3101 and 5.1.3102. Should all
be replaced with the most recent; or, are all safe with
SP2?

David Cross [MS] · Sep 17, 2004

according to the web site you are up to date with XP SP2, but you may also
need to make sure you have all Office updates as well.

Torgeir Bakken \(MVP\) · Sep 17, 2004

HRon said:
After running Microsoft's GDI+ update, I did a search for
the gdiplus.dll file. I found three different version
installed - 5.1.3097, 5.1.3101 and 5.1.3102. Should all
be replaced with the most recent; or, are all safe with
SP2?

Hi

That depends on where they are located, and what programs that uses
them.

You need not to worry about old versions of gdiplus.dll located in
%windir%\WinSxS\... as long as you find a v5.1.3102.1360 in there as
well (that you have updated with the hotfix for WinXP in the MS04-028
bulletin or from Windows Update)

Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution
http://www.microsoft.com/technet/security/Bulletin/MS04-028.mspx

Files in %windir%\WinSxS\... is system protected files that you will
not be able to replace, and it is not necessary either, the system
will force applications that uses gdiplus.dll from %windir%\WinSxS\...
to use the latest version anyway.

As long as you are finished installing *all* relevant updates from
the MS04-028 bulletin, if you still find 5.1.x.x gdiplus.dll files on
the hard disk with a lesser version number than 5.1.3102.1355 (yes,
5.1.3102.1355 and not 5.1.3102.1360) outside %windir%\WinSxS\...,
you should replace them with the gdiplus.dll v5.1.3102.1360 file
that is available here:

Platform SDK Redistributable: GDI+
http://www.microsoft.com/downloads/...9C-DF12-4D41-933C-BE590FEAA05A&displaylang=en
(this download link is also found in the MS04-028 bulletin)

I suggest you create a backup somewhere of all the old 5.1.x.x
versions that you find outside %windir%\WinSxS\... before replacing
them, just in case the application using the dll doesn't like
the replacement (unlikely though).

cquirke (MVP Win9x) · Sep 21, 2004

Quick questions on this:

1) Is it only GDIPLUS.DLL that is affected?
2) What's the lowset safe version of this file?

That's the only info I'd need, to exclude this issue.

Torgeir Bakken \(MVP\) · Sep 22, 2004

cquirke said:
Quick questions on this:

1) Is it only GDIPLUS.DLL that is affected?

Sadly, it isn't, but it will cover a lot of the products. Some
exceptions:

IE6: Vgx.dll
Office XP, Project 2002, and Visio 2002: Mso.dll
For Visual Studio .NET, in addition to gdiplus.dll, you need to
update gdiplus.msm

And for Windows XP SP0/SP1, Sxs.dll needs to be updated together with
Gdiplus.dll in the OS folder, both files protected by the operating
system, so you need to use the hotfix installer supplied by Microsoft
to be able to update them.

2) What's the lowset safe version of this file?

For GdiPlus.dll versions 5.1.x.x, version 5.1.3102.1355 and above
is OK.

The GDI+ security updates for Office 2003, Project 2003, and Visio 2003
have version 6.0.3264.0 of GdiPlus.dll, but that is the only places I
have seen a v6.0.x.x of GdiPlus.dll.

cquirke (MVP Win9x) · Sep 22, 2004

cquirke (MVP Win9x) wrote:

Sadly, it isn't, but it will cover a lot of the products. Some
exceptions:

IE6: Vgx.dll
Office XP, Project 2002, and Visio 2002: Mso.dll
For Visual Studio .NET, in addition to gdiplus.dll, you need to
update gdiplus.msm

Oy. What happens to these if you just punch out GDIPLUS.DLL to the
correct (i.e. safe) version; are they...
- broken, on a "version soup" basis?
- still vulnerable, because the hole is in the other files?
- still vulnerable, because they splat back the older version?

And for Windows XP SP0/SP1, Sxs.dll needs to be updated together with
Gdiplus.dll in the OS folder, both files protected by the operating
system, so you need to use the hotfix installer supplied by Microsoft
to be able to update them.

That sounds like the last of the three outcomes above

For GdiPlus.dll versions 5.1.x.x, version 5.1.3102.1355 and above
is OK.

The GDI+ security updates for Office 2003, Project 2003, and Visio 2003
have version 6.0.3264.0 of GdiPlus.dll, but that is the only places I
have seen a v6.0.x.x of GdiPlus.dll.

With a soup of different versions, do all apps use whichever one is in
memory at the time, and only look for one off disk if none is in
memory, starting from . then the lookup path?

Or does XP's Side by Side (SxS) manage this?

If the latter, does that imply afflicted apps run only in XP?

------------ ----- ---- --- -- - - - -

The most accurate diagnostic instrument
in medicine is the Retrospectoscope

GDI+ Security

HRon

David Cross [MS]

Torgeir Bakken \(MVP\)

cquirke (MVP Win9x)

Torgeir Bakken \(MVP\)

cquirke (MVP Win9x)