Slashdot Mirror


GDI Vulnerabilities: An Open Letter to Microsoft

UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

4 of 444 comments (clear)

  1. MS needs to warn developers by isn't+my+name · · Score: 4, Interesting

    Yes, Microsoft should be responsible, when those people who wrote the code using Microsoft dlls are distributing a vulnerable version of the dll. Microsoft approved the distribution of the dll, so they should know who did.

    No, MS should not be responsible for fixing code that third parties distributed using their code libraries. Just as no F/OSS code library project should be resonsible for trackind down anyone who might have used their code library.

    However, MS should do a better job of making it clear to third party developers that the DLL may be included in their project (often without the knowledge of the project. Visual Studio does a great job of hiding the relevant DLLs that get loaded into a project.) None of the MS advisories on this that I have seen have included any recommendation to developers or consumers that they need to take additional steps after patching their system.

    MS should, though, have produced the tool that Tom Liston did. His scanner is 7k. Surely MS could have come up with something like that--and if you run Tom's GDI scanner, you'll note some places where it identifies possible problems. MS would be in a much better position to be know if that is the case and thus able to provide better information.

    So, I disagree with what you are faulting MS for, but not the fact that MS should be faulted.

  2. Re:Hate to quote a quote but... by danheskett · · Score: 5, Interesting

    bordering on the criminally neglient concerning network security.
    Please back up your assertion that this is "bordering" on criminally neglient.

    Do you claim there are some laws regarding network security that are applicable, or this just a verbal flourish gone one step to far.

  3. What I want to know is... by vrt3 · · Score: 4, Interesting

    MS has written lots and lots of proza about this vulnerability, but I still don't know how to download the new updated gidplus.dll to redistribute. I've applied the update from windowsupdate.com to my computer, but I guess it would be a good idea to distribute an updated version to our customers. I just can't seem to find it anywhere.

    --
    This sig under construction. Please check back later.
  4. Dumb Question by ewhac · · Score: 4, Interesting

    I have a dumb question. I admit it's a dumb question, because I've spent the last twenty years of my career working with non-Microsoft operating systems and products. The answer may be obvious to someone with that kind of experience, but not to me. So here goes:

    Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?

    See, where I come from, you have one copy of shared system libraries -- the latest one, with all the latest patches. This library is fully backward-compatible with all its predecessors. Further, the shared system libraries are all in the same place, so you know where to go looking to drop in updates or, if needs be, regressions. (On very, very rare occasions, there'll be a copy of a specific version living alongside the (by definition, broken) application that needs it.) This approach leads to clean system maintenance and ensures that all applications are using the same, up-to-date, best performance, most secure version of the system libraries.

    So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?

    Schwab