This is the message from the GDI+ Detection Tool. All UPPER CASE indicates
my emphasis, which emphasis is not in the original:
"The software tools has detected that you are running software that MAY
contain a security vulnerability. There are security updates available from
Microsoft that fix this security vulnerability."
That sentence explicitly implies that you are running software that MAY NOT
contain the vulnerability. It is made even more clear in the accompanying
documentation that this would be the case if the system has already been
patched, nullifying the vulnerabilities(s). I see no conflict.
The problem, I think, is that you expect the GDI+ Detection Tool to detect
whether or not the patch has been applied that nullifies the vulnerability.
The tool doesn't do that. It doesn't even detect if any vulnerability
exists. It simply looks to see if you have software that MAY be vulnerable,
(and I'll interject here that you might, for example, have Office XP
installed, but not the specific component of Office that has the
vulnerability). It simply tells you if that software is present, not whether
it actually contains the vulnerability nor whether, IF it has the
vulnerability, it's been patched.
Say you heard about a recall that MAY apply to your car. You go online to
the company's site, you enter your VIN number and it says, "You drive a
vehicle that may have the defective part. There are free replacement parts
available if your part is defective. Follow these instructions to find out
if you have the defective part, and to obtain a replacement if it turns out
that you do. If inspection results in a finding that you do NOT have the
defective part, then you do not need to reinstall the part." The
instructions say to take the vehicle to your dealership and have them
inspect it.
Now, if your specific vehicle just happens to not have the defective part,
there are three plausible reasons I can think of: 1. Only some certain batch
of parts were defective and your vehicle didn't get the part from that
batch. 2. Your dealership replaced the part as part of regular maintenance
and you simply weren't told about it. 3. You *did* have the defective part,
but it was only one component of a larger component that had been replaced,
including the replacement part. (Think "Service Pack".)