Slashdot Mirror
GDI Vulnerabilities: An Open Letter to Microsoft
UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open
letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
http://isc.sans.org//diary.php?date=2004-09-26
Handlers Diary September 26th 2004
Updated September 27th 2004 13:11 UTC (Handler: Tom Liston)
GDI Vulnerabilities : An open letter to Microsoft
GDI Vulnerabilities: An open letter to Microsoft
Dear Redmond Folks:
When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident's demise. I hated that basement.
My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.
And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother's voice wafting down from above: "It's cooooooooming..... It's cooooooooming to get you......."
And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.
Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.
MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I've read through it far too many times, and I still understand far too little.
Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.
[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]
What about those old gdiplus.dll files that we're all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)
When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?
Please stop treating your customers like idiots and give us information; information that we can use.
In other words: Turn on the lights and open the door. We're ready to come back upstairs now.
-TL
Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )
In my SUS server at my corporation, I disabled this stupid tool because all it does it pop up with some confusing error message that the end user does not understand. Then they would all just call me asking about a weird popup they got on their screen. I am deploying the windows patch via SUS and the office pack via scripts, so there is nothing for the end user to do anyways.
They are actually 3rd party products that distribute Microsoft DLLs as part of the runtime code. The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.
Learning HOW to think is more important than learning WHAT to think.
No, MS IS checking third party software, but not updating it, and still warning you about it. And warning you without telling you exactly what is wrong, the worst kind of error message, one that Windows is quite fond of.
My blog. Good stuff (when I remember to update it). Read it.
Kidding aside, the linked article spells 'than' correctly, so it's a misquote.
Liberal (adj.): Free from bigotry; open to progress; tolerant of others.
The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.
But, I'll bet that MS gives developers permission to distribute these with Visual Studio, which would mean there is no way that MS has a master list--moreover, much of the software may be for internal applications and the developer is long gone.
So, any VB program that does image manipulation may be poetentially vulnerable.
Okay, everyone. One...More...Time...
RTFA!
I totally agree with the 'worse than useless' statement. In my office, I had to disable it on the corporate SUS server because all it did was pop up and worry users. It gives no meaningful information. It does not patch all the dll's that it may or may not find. It merely scares users into thinking they had a virus. This is the only thing in my SUS list that is not approved and it will stay that way forever as far as I am concerned.
...but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).
Well, say that it's hard on one of those commercial distros then. For MY choses Linux setup, it's generally condensed down to:
$ apt-get update
$ apt-get upgrade
Politics, Culture, Food?
still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place.
That's probably because WAP is a way of using web pages on cell phones. Perhaps you meant AP? Don't be so fast to call people idiots . . .
funny munging
The Microsoft tool also misses several of Microsoft's own products, including the Office Viewers like Word viewer, Excel, Powerpoint, and Visio, all of which are vulnerable to the jpeg vulneraility.
While Microsoft isn't responsible for 3rd party DLLs, this is a different situation. They are partially responsible, and if they were interested in making the client systems secure they would handle things differently for what is really a simple file update.
Reasons: They designed a system that requires 3rd parties to distribute DLLs that Microsoft created. If the DLLs were set in a well organized location, the updates of the system DLLs would automatically 'fix' the other programs. Versioning -- something that Windows DLLs support and programs can take advantage of -- would handle compatability issues that are not directly incompatable with this fix.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
Anyone else getting this from the current version of Nero:
C:\Program Files\Ahead\Nero Toolkit\gdiplus.dll
Version: 5.1.3097.0 -- Vulnerable version
Slashdot anagrams to "Sad Sloth"
No, but you could still be vulnerable - as the letter points out, many third party programs distribute dll's that are potential vectors, and the Windows/Office update sites will not find those.
So it gets worse, _then_ it is useless?
So far, everyone else responding seemed to have missed your point. The article correctly uses "worse than usless". It is the submitter and/or our ever so thorough Slashdot editors to blame for the "worse then useless" grammar mistake.
And for all of you that missed the grammar mistake and are debating the meaning of "worse than useless", yes, things can be worse than useless. Things can be harmful. They can cause additional harm or frustration, as opposed to a useless item which just does not do anything useful.
When will Windows be ready for the desktop?
http://www.microsoft.com/downloads/details.aspx?Fa milyId=6A63AB9C-DF12-4D41-933C-BE590FEAA05A&displa ylang=en
Misapplication of acronym. Don't be so reluctant to accept correction.
funny munging
Back in the day, it was recommended to put all system DLLs into the main system folder and all your custom DLLs into the app folder. But, Windows' awkward design and poor installation utilities led to many system DLLs being overwritten with old or broken versions. You would find yourself with a broken app and really no way to tell what caused it.
So, to stop the headache, we started putting system DLLs locally, thanks to the path priority built into Windows - it always checks local folders first. And it worked, most of the time. If you asked for a DLL by name and another app was using an incompatible version, you would get still the stinky one. But, if you were first to the call then you knew you would get yours.
But, the trend had taken root and like any good weed it is hard to get rid of.
I don't even think this tool is checking for the other sneaky developer trick of renaming the DLLs, either to hide the fact that it's not licensed or other legal yet obscure reasons.
It's a tough job if you want the absolute highest currently available level of security.
The Linux problems that get found (and usually fixed within a very short time indeed) are mostly theoretical vulnerabilities that nobody would even bother to report on Windows. For example, last month there was a vulnerability (now fixed) that could, theoretically, enable an ordinary user to get root access.
Nobody would ever report a flaw like this in Windows, because everybody knows it is trivial to do on Windows. (E.g. the shatter attacks.)
For reasons like this, any reasonably recent Linux distro is more secure than the latest patched version of Windows.
There are no trails. There are no trees out here.
According to NTBugtraq's article, TiVo has software package that allows a user to setup an Image and Audio server on their PC. When connected to the same LAN as the TiVo it allows the image and audio files to be viewed on a TV via the TiVo DVR. The software uses gdiplus.dll file that has a JPEG parsing engine.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Hold on a second.
1.) Microsoft is somehow responsible for all third-party DLLs on a system. Their scanner must contain a self-sufficient, learning AI that just "knows" which DLLs to scan on any system in existence.
Scan them all. Does a good virus scanner only scan the files it installed?
2.) Mozilla was affected by this same vulnerability, but it's okay because it's Mozilla and not Microsoft.
Mozilla's vulnerability was, afaik, only for local files. Even so, mozilla didn't put out a scanner that scanned a few select shared libraries, and then declared that you did or did not need updates for your system.
'Then' and 'than' used to be the same word (admittedly with an a rather than an e). They were temporarily given a distinct life, but apparently speakers of the language don't think it's worth the effort to maintain a distinction. Fortunately, there's no Academie Anglais, so if you don't like it, keep them distinct in your own speech and writing.
Look out!
"They designed a system that requires 3rd parties to distribute DLLs that Microsoft created."
I've created many Windows applications and I've never distributed any MS DLLs.
...and do you do everything you're told? People are using unlicensed files all the time *cough* mp3s *cough*.
Besides, 3rd party vendors are using a lot more than just gdiplus.dll. They may use mfcxx.dll, msvbvm60.dll (VB6 runtime), and a myriad of other modules. Few programs like cygwin don't touch modules installed by the OS.
It's rediculous to think Microsoft is somehow responsible for every third-party application, whether it's using licensed components or not. But then again, the minions of /. are also often rediculous in their expectations, like that the world is better with free software since money grows on trees and all.
Get real. The companies should know about vulnerabilities - and don't give me that crap that *nix and their apps don't have them - because they write software for that OS or use a particular library, and are responsible for updating their libraries.
If the companies used the modules how they were intended (using shared components installed into the proper place in the system), then they wouldn't have to worry about it. But when companies start introducing local modules, then they're responsible for updating them. It would be no different in the *nix world is developers didn't follow guidelines (and sometimes don't either).
The true blame here lies with the 3rd party vendors. They need to be responsible for not only their code but the code they use if they're not following guidelines about where the file should go, etc.
On XP, for example, gdiplus.dll is not to be redistributed and is to be installed into the Win32 side-by-side cache (WinSxS). If companies are distributing this it's their problem to work out.
The strange thing is that the latest gdiplus redistributable is version "5.1.3102.1360 (xpsp2.040109-1800)". But the final release of SP2 contains a NEWER version: "5.1.3102.2180 (xpsp_sp2_rtm.040803-2158)".
(from link)
+++ mozilla/modules/libimg/jpgcom/jpeg.cpp Wed May 24 17:24:03 2000
they managed to patch this four years before microsoft? and microsoft knew they were using the same IJG codebase?