<<< Date Index >>>     <<< Thread Index >>>

RE: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow



Let me get this straight: It really doesn't matter if the version of
Frogger I run has the older dll, to exploit the flaw you would have to
get a user to view a malformed jpeg via the Frogger app which would call
the older dll and voila! Right?

Assuming that is correct; AutoCAD, while a big app on many systems,
probably does not have the kind of market saturation a worm writer is
looking for. This exploit could be used for directed attacks against
Dreamweaver users or CAD factories, but admins should concentrate on the
IE6 and Office patches as via HTTP or MUA is the most likely dispersion
of a jpeg exploit (IM as well, but I think trillian uses the system's
dll like a good program should).

Does anyone know why .net has its own dll for viewing jpeg's? Am I
misunderstanding the exploit/flaw/ or usage of this dll?

jp

-----Original Message-----
From: Gary Warner [mailto:gar@xxxxxxxxxx] 
Sent: Thursday, September 16, 2004 8:07 AM
To: Polazzo Justin; bugtraq@xxxxxxxxxxxxxxxxx;
birmingham-infragard@xxxxxxxxxxxxxxxxxxxxxxxx
Subject: Re: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow

On the Microsoft security briefing webcast yesterday they said that
GDIPLUS.DLL is distributed with many applications.  Depending on how
those applications were built, simply replacing the DLL may break the
app.  They recommend applying Microsoft patches, and contacting the
vendors of any apps associated with GDIPLUS. 

The GDI+ detection tool ONLY DETECTS CURRENTLY SUPPORTED MICROSOFT
PRODUCTS.

They confirmed on the call that older versions ARE VULNERABLE but that
only CURRENT versions will be patched.  Recommendation, of course,
update to current on every version.

There was special guidance for application developers dealing with
whether the app was built in Visual Studio as a "Managed Application" or
not.  Rather than guess about that, I strongly recommend replaying the
webcast.  There's a PDF of the slides available, and the Q&A had many
revealing deteails.

 From www.microsoft.com/technet/security/
go to the Register for September Webcast link even though the meeting is
over, Register it will take you to a "View Recording" page which will
let you stream the Live Meeting Replay in Windows Media Format.
_-_
gar