Home > Blogs > barry

GDI+ Security Vulnerability

Posted: Friday, September 17, 2004 1:54 AM by Barry Gervin
Filed under: , , , , , , , , , , ,

There is a new critical security vulnerability that affects a wide range of software that can't be easily patched through Windows Update. The vulnerability lies inside of GDI+ and can allow a maliciously formed JPEG image file to create a buffer overrun and inject malicious code - even through a web page's graphics...no scripting or anything.

Windows Update will go ahead and update major components but you also need to go to the Office Update site as well as update a bunch of other software you might have on your machine.

In particular for developers, the .NET Framework (pre-latest service pack) and even Visual Studio.NET 2003 and 2002 are affected and need to be separately patched.

The full bulletin with links for all the various patches are available here. http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

If you go to Windows Update it will also provide you with a GDI+ Detection tool that will scan your hard drive looking for affected components. I strongly you recommend everybody jump all over this one quickly.

Comments

  • Barry Gervin September 20, 2004 10:24 AM

    In the security bulletin, it states that Windows XP SP2 is unaffected. Does that mean that I'm protected if I'm running SP 2, or can other software, like Office/.Net Framework/etc still be vulnerable?

  • Barry Gervin September 20, 2004 11:03 AM

    I think you hit the nail on the head. With XP2 installed - the OS is protected, but other software can still be vulnerable. That's my understanding.

New Comments to this post are disabled