GDI Vulnerabilities: An Open Letter to Microsoft

← Back to Stories (view on slashdot.org)

GDI Vulnerabilities: An Open Letter to Microsoft

Posted by michael on Monday September 27, 2004 @06:34AM from the your-call-is-important-to-them dept.

UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

4 of 444 comments (clear)

Min score:

Reason:

Sort:

Likely no master list by isn't+my+name · 2004-09-27 06:44 · Score: 5, Informative

The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.

But, I'll bet that MS gives developers permission to distribute these with Visual Studio, which would mean there is no way that MS has a master list--moreover, much of the software may be for internal applications and the developer is long gone.

So, any VB program that does image manipulation may be poetentially vulnerable.
1. Re:Likely no master list by julesh · 2004-09-27 06:57 · Score: 5, Informative
  
  But, I'll bet that MS gives developers permission to distribute these with Visual Studio,
  
  Its worse than that, the DLL in question is distributed (with permission to redistribute) in the free Platform SDK download.
  
  So, any VB program that does image manipulation may be poetentially vulnerable.
  
  I've used the DLL in question from C++ and Java/JNI programs before now. _Anything_ might be vulnerable. Check for "GDIPLUS.DLL" in your applications' install directories. Or use the tool linked from the article.
Re:Hate to quote a quote but... by pbranes · 2004-09-27 06:47 · Score: 5, Informative

I totally agree with the 'worse than useless' statement. In my office, I had to disable it on the corporate SUS server because all it did was pop up and worry users. It gives no meaningful information. It does not patch all the dll's that it may or may not find. It merely scares users into thinking they had a virus. This is the only thing in my SUS list that is not approved and it will stay that way forever as far as I am concerned.
Re:Dumb Question by greendot · 2004-09-27 08:10 · Score: 5, Informative

Back in the day, it was recommended to put all system DLLs into the main system folder and all your custom DLLs into the app folder. But, Windows' awkward design and poor installation utilities led to many system DLLs being overwritten with old or broken versions. You would find yourself with a broken app and really no way to tell what caused it.

So, to stop the headache, we started putting system DLLs locally, thanks to the path priority built into Windows - it always checks local folders first. And it worked, most of the time. If you asked for a DLL by name and another app was using an incompatible version, you would get still the stinky one. But, if you were first to the call then you knew you would get yours.

But, the trend had taken root and like any good weed it is hard to get rid of.

I don't even think this tool is checking for the other sneaky developer trick of renaming the DLLs, either to hide the fact that it's not licensed or other legal yet obscure reasons.