<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft's GDI Detetection Tool faults



In-Reply-To: <20040924141725.13699.qmail@xxxxxxxxxxxxxxxxxxxxx>

>Received: (qmail 18580 invoked from network); 25 Sep 2004 02:57:58 -0000
>Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) 
>(205.206.231.26)
>  by mail.securityfocus.com with SMTP; 25 Sep 2004 02:57:58 -0000
>Received: from lists2.securityfocus.com (lists2.securityfocus.com 
>[205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 43EBF1464F4; Fri, 24 Sep 2004 10:24:36 -0600 (MDT)
>Mailing-List: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
>Precedence: bulk
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq@xxxxxxxxxxxxxxxxx>
>List-Help: <mailto:bugtraq-help@xxxxxxxxxxxxxxxxx>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe@xxxxxxxxxxxxxxxxx>
>List-Subscribe: <mailto:bugtraq-subscribe@xxxxxxxxxxxxxxxxx>
>Delivered-To: mailing list bugtraq@xxxxxxxxxxxxxxxxx
>Delivered-To: moderator for bugtraq@xxxxxxxxxxxxxxxxx
>Received: (qmail 13030 invoked from network); 24 Sep 2004 08:08:27 -0000
>Date: 24 Sep 2004 14:17:25 -0000
>Message-ID: <20040924141725.13699.qmail@xxxxxxxxxxxxxxxxxxxxx>
>Content-Type: text/plain
>Content-Disposition: inline
>Content-Transfer-Encoding: binary
>MIME-Version: 1.0
>X-Mailer: MIME-tools 5.411 (Entity 5.404)
>From: <albatross@xxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Microsoft's GDI Detetection Tool faults
>
>
>
>Today I downloaded the a gdi+ vulnerability (MS04-028) detection tool 
>published by The SANS. In contraddiction as the report provided by MS 
>gdidettool.exe it found two version of vulnerable dlls.
>
>Be warned don't trust only MS's detection tool! Do all steps to patch your 
>machines.
>
>albatross
>
>P.S. I think this will be another nightmare for many people.... any news about 
>SUS 2.0/WUS?
>

MicroSoft's detection tool is is almost worthless. I used that after finding 
out about the new GDI+ security hole and it reported very vague dumb 
information. Like "You may have a problem" then I installed the lame patch they 
oringally provided on the first day they reported the issue and I ran the 
detection tool again and it said the same thing! I haven't tried the SANS 
detection tool yet but I bet it is much much better then what I used with the 
MS detection tool. I can't believe how long it took MS to patch this issue 
(about a year!!!) and they still were not ready when they went public with how 
to fix the issue.

I predict there is going to be a major worm just around the corner exploiting 
the new GDI+ JPEG vulnerability... Now that a bunch of example exploits with 
"insert your shellcode here" have been posted it's only a matter of time before 
someone has the guts/ego to try to pull off a major worm taking advantage of 
this issue... 

To all the people out there who found out about this security problem as soon 
as MS posted about it (which I'm sure is a lot of people since the media 
covered the issue all over). Then I hope you guy's check Windows Update again 
for any patchs regarding the GDI+ JPEG issue because I learned about it right 
about when MS released the original patch and visited there site to download 
the patch which didn't really fix the problem.. Then about two weeks later I 
went back to Windows Update to see if there was anything new and they did 
actually post a good patch to really fix the problem.. 

So I'm betting there are people like me who thought they were patched after 
installing the patch provided on MS's website but didn't know there was 
anything new patchs regarding the GDI+ JPEG vulnerablity issue on Windows 
Update. Everyone better start getting the good patch soon before the new Sasser 
worm begins to spread! It's only a matter of time...

--HighT1mes