Table of Contents
Full Version: Gdi Scan Tutorial
Table of Contents
What is the GDI+ JPEG Vulnerability
GDI+ is a programming interface or API that enables programs to use graphics and formatted text on a video display or printer. A vulnerability, GDI+ JPEG Vulnerability, was found in the DLL gdiplus.dll used by GDI+ that has faulty code when processing JPEG images. People who know how this code can be exploited can craft a specially designed JPEG that can exploit this bug and possibly take control of your machine. If you view an image using an application that has this vulnerability, then it is possible for the remote program to issue commands on your computer at the same security level as your user account. Therefore if your user account is an administrator of your machine, then the remote code will have administrative privileges and be able to have full access to the security of your computer.
Microsoft has released an update for this vulnerability which you can get by going to Windows Update for the operating system update and Office Update for the Microsoft office update. Be sure to do those updates immediately as this tutorial assumes you already have them and is focused on resolving issues for 3rd party applications that may be affected by the GDI+ JPEG vulnerability.
What is GDI Scan
A major problem with this vulnerability is that there are 3rd party, non-microsoft, applications that ship with this exploitable DLL. Since Microsoft's update only updates the DLL that came with the Operating System software, you still may be vulnerable from other applications that it does not upgrade. Microsoft released a GDI+ Detection Tool which will scan your computer and tell you if it found any MICROSOFT programs that may be vulnerable. Unfortunately it does not tell you WHAT programs are vulnerable and just directs you back to windows update and office update. Even worse, it does not let you know if any 3rd party software may be affected, leaving you still in the dark.
Because of this Tom Liston, the person who developed the LaBrea Tarpit honeypot software, has created a tool called GDI Scan that will scan a drive on your computer for files that are possibly vulnerable to the GDI+ JPEG exploit. When it has completed scanning the partition it will create a log that will show all possibly vulnerable DLLs found. You can then use this information to determine what programs are affected and then attempt to upgrade these programs so they are no longer vulnerable.
When you run this tool it will scan the partition you specify for any of the following files:
gdiplus.dll (known to be exploitable)
sxs.dll
wsxs.dll
mso.dll
If it finds these files it will attempt to determine if they are vulnerable to the GDI JPEG exploit. If they are, they will be listed in red in the resulting log file.
It is important to note that the previously listed DLLs can be found in more than one location on your hard drive. If they are located in multiple locations on your computer, the program will check the following locations for the DLL, in this order, and if found uses the DLL it finds first:
-
Loads the DLL from the same directory the application is installed
-
Loads the DLL from the current working directory you ran the program from.
-
Windows 95/98*Grinler will load it from the c:\windows\system directory
-
Windows NT/2000/XP/2003 will load it from c:\windows\system32
-
Windows NT/2000/XP/2003 will load it from c:\windows\system
-
The Windows directory (\windows)
-
Any directories that are listed in the PATH environment variable.
How to use GDI Scan
Step 1: Download GUI version of gdiscan.exe
You can download GDI Scan from the following link:
http://isc.sans.org/gdiscan.php
Download the GUI version to a location you will remember later.
Step 2: Run gdiscan.exe
Once it is downloaded, double-click on gdiscan.exe and a screen similar to the one below will appear:
Figure 1: Start GDIScan
First select the drive, designated by the green box in Figure 1, you would like to scan. Once the drive you want to scan is selected, press the Scan button designated by the red box in Figure 1. The program will now scan the drive letter you specified for any copies of the gdiplus.dll, and associated DLLSs, and display them for you as shown in Figure 2 below.
Figure 2: GDIScan.exe Results
You can then click on the Clipboard button, designated by the red box, to copy the contents of the results to your clipboard. Then paste the results into a notepad or other document that you can refer back to later.
For Windows 95/98*Grinler Users
It is important to note that this application was designed specifically for XP,2000, or NT. This does not mean, though, that you can not use it in Windows 95, 98, or ME. In order to view the results properly we will need to create an RTF (Rich Text Format) document. Run the program as described above and when it is finished scanning your partition follow these steps:
-
Click on the Clipboard button to copy the contents of the log into memory.
- Click on Start, then Run,
and type notepad and press the
OK button.
- When the notepad is open, click on the
Edit menu, and then select
Paste. The contents of the log should now be
in the notepad.
- Click on File and then Save
As.
- When the Save As dialog box opens change the following:
- Change the Save In drop down selection
box to the Desktop
- Change the Save As Type drop down box
to All Files.
- Enter log.rtf into the File
Name field
- Change the Save In drop down selection
box to the Desktop
- Press the Save button
- Minimize your desktop and you should now see a icon on your desktop called log.rtf. Double-click on this icon and it will either open in Word, if you have it, or Wordpad if you don't. You should now see the proper formatting in the log.
How do I interpret the results
Now that we have this log, I bet you are wondering what you are supposed to do with it. Well as of right now, the only DLL that we know for sure is exploitable is the gdiplus.dll. So we focus on those listings that contain that DLL and are the proper version or lower.
If it states that it finds DLLs in directories like Windows\$NtUniinstallKB you can safely ignore them. These directories are created in case you want to uninstall various Microsoft updates. Therefore it would not be strange to see the older DLLs there.
NOTE: Previously I had stated that files found in the \Windows\WinSxS directory could be safely ignored. It has been brought to my attention that this information was actually incorrect. The \Windows\WinSxS directory is where Windows stores it's side-by-side DLLs. Side-by-side DLLs are used to allow multiple versions of the same DLL to exist in Windows at the same time. The Operating System maintains a list of which applications use which side-by-side DLL. This allows different versions of the same DLL to coexist on the same computer and have multiple applications share them. Therefore if you see outdated DLLs found here you may want to see if they can be updated via OfficeUpdate, Windows Update, or replacing it with the redistributable. As always make a backup copy first of the DLL found in the \WinSxS first. - Thanks to Donald Smith for the clarification.
Lets take an example from the log above and see how we can interpret the results:
Figure 3: Exploitable DLLs that were found
As you can see from the above figure, gdiscan found two exploitable copies of gdiplus.dll on my machine. One is in the FolderSizes directory and the other is in the WS_FTP Pro directory. I now know that I need to visit the web sites of these applications and see if there are any updates available. If there are, we download them, install them, and hope they fix the problem, which we can check by running gdiscan.exe again after the installation is complete. If the problem still exists, then you should contact the software manufacturer and explain the situation.
Another workaround may be to download the latest gdiplus.dll from Microsoft. This fix may cause problems with your software if the developers of that software added extra functionality into their copy of the gdiplus.dll. Therefore, please make a backup of the existing gdiplus.dll before you do this method.
You can download this file from the following link:
Platform SDK Redistributable: GDI+
When you download this file, run it and extract the files to c:\gdiplus. Then navigate to c:\gdiplus, and you will find it contains the DLL, gdiplus.dll. Simply copy this DLL over the known exploitable one from the log to replace it. Now that you have replaced that program's gdiplus.dll it should not be exploitable.
Conclusion
Now that you know how to check your system for GDI+ JPEG exploit it is advisable that you do so immediately. At the time of this writing more reports are coming out about tools and sample code to take advantage of this vulnerability. The sooner you run this tool and fix any of the exploitable copies of this DLL on your system, the safer you will be.
--
Lawrence Abrams
Bleeping Computer Advanced Internet Security Concepts
BleepingComputer.com: Computer Support & Tutorials for the beginning computer user.
Thanks Grinler for this excellent tutorial. 
Thank you
Thank you 
You're the first to offer help I think!
Luci2a
You're the first to offer help I think!
Luci2a
An awesome post by our Site Admin and this was featured at one of my favorite web sites (Internet Storm Center) as being "the best yet" on how to patch for MS04-028.
http://isc.sans.org//diary.php?date=2004-09-28
Scanning Drive C:...
C:\WINDOWS\system32\sxs.dll
Version: 5.2.3790.0 <-- Vulnerable version
I've read 5 or so different articles trying to get what-to-do info on this file, but am coming up empty. This is a Microsoft file (verified by right-clicking the file -> properties -> Version -> Company), but their own GDI+ detection tool declares me safe and sound.
This is on a Windows 2003 Server Standard machine.
Anyone else encountering this &/or know the solution?
C:\WINDOWS\system32\sxs.dll
Version: 5.2.3790.0 <-- Vulnerable version
I've read 5 or so different articles trying to get what-to-do info on this file, but am coming up empty. This is a Microsoft file (verified by right-clicking the file -> properties -> Version -> Company), but their own GDI+ detection tool declares me safe and sound.
This is on a Windows 2003 Server Standard machine.
Anyone else encountering this &/or know the solution?
I’ve to add to “dgtlarts” list.
I’ve just run a new GDI scan and it came up with the following vulnerable items.
I’ve XP Home with Office XP for Small Business – fully updated with SP1, SP2, and the latest GDI “Patch” according to MS Updates for both XP Home and Office. (McAfee AV and MS firewall)
Since the MS generalized fix doesn’t appear to work for these item, do I delete them or what?
C:\Program Files\Microsoft Office\PowerPoint Viewer\GDIPLUS.DLL
Version: 6.0.3260.0 <-- Vulnerable version
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Vulnerable version
Thanks,
~Koan
I’ve just run a new GDI scan and it came up with the following vulnerable items.
I’ve XP Home with Office XP for Small Business – fully updated with SP1, SP2, and the latest GDI “Patch” according to MS Updates for both XP Home and Office. (McAfee AV and MS firewall)
Since the MS generalized fix doesn’t appear to work for these item, do I delete them or what?
C:\Program Files\Microsoft Office\PowerPoint Viewer\GDIPLUS.DLL
Version: 6.0.3260.0 <-- Vulnerable version
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
Version: 5.1.2600.1106 <-- Vulnerable version
C:\WINDOWS\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Vulnerable version
Thanks,
~Koan
You can safely ignore all the files in %SystemRoot%\$NtUninstallKBxxxxx and %SystemRoot%\WinSxS. Files in these folders are backups created by the OS should you ever decide to uninstall the patch. If they still make you nervous, you can delete them but you will loose the ability to uninstall those patches.
One of your files is part of PowerPoint. Have you gone to the microsoft office site and run OfficeUpdate? It works like Windows Update, except on your Microsoft Office software. Run it repeatedly until it tells you there are no more updates available. I can never remember the exact URL, but if you go to www.officeupdate.com it will redirect you.
Off the top of my head, I'm not familiar with ASMS, product. Sorry.
One of your files is part of PowerPoint. Have you gone to the microsoft office site and run OfficeUpdate? It works like Windows Update, except on your Microsoft Office software. Run it repeatedly until it tells you there are no more updates available. I can never remember the exact URL, but if you go to www.officeupdate.com it will redirect you.
Off the top of my head, I'm not familiar with ASMS, product. Sorry.
Thanks for the input "dgtarts".
I'd run the scan yesterday after updating everything from MS site I could find.
I had nothing on the red list - vulnerable then.
Just out of paranoia, I ran the scan again after seeing your posting and found these other five objects.
Yes, I did pull down three updates yesterday. Everything that was listed for my OS"s,
and even one for Office 2003 - which of course I didn't need.
I don't use power point reader often; and can down load the reader again if'n I need to.
(Actually, I'll off load it to disk to use offline until MS patches Power Point (again).
And I missed the fact the others were back up files. - thanks for pointing that out!
regards,
~Koan
I'd run the scan yesterday after updating everything from MS site I could find.
I had nothing on the red list - vulnerable then.
Just out of paranoia, I ran the scan again after seeing your posting and found these other five objects.
Yes, I did pull down three updates yesterday. Everything that was listed for my OS"s,
and even one for Office 2003 - which of course I didn't need.
I don't use power point reader often; and can down load the reader again if'n I need to.
(Actually, I'll off load it to disk to use offline until MS patches Power Point (again).
And I missed the fact the others were back up files. - thanks for pointing that out!
regards,
~Koan
The i386 directory that you are showing looks to be a copy of the XP cd, so I probably wouldnt worry about that as its probably just an old version.
As for sxs.dll, from what I can tell there is no replacement file yet.
As for sxs.dll, from what I can tell there is no replacement file yet.
Thanks Grinler. Please keep us posted.
Thanks Grinler,
I wasn't sure about the i386 either. I'll just chuck it.
Thanks guys, I'll nap a little quieter this p.m.
~Koan
I wasn't sure about the i386 either. I'll just chuck it.
Thanks guys, I'll nap a little quieter this p.m.
~Koan
Just delete the file...not the directory
Right, only the file.
I don't want to start that all over again... tee-hee.
~Koan
I don't want to start that all over again... tee-hee.
~Koan
One of the commenting users posted
-----
C:\WINDOWS\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
-----
I have a similar entry, part of Microsoft Visual Studio 6, or possibly a more recent "Debug Symbols" download
-----
N:\WINDOWS\Debug\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
-----
These are the debug versions of the DLLs, for use with a development system. If you look at the file sizes, they are probably larger than the standard runtime-only versions, because they contain additional debug information. They must come from Microsoft, and must match version-for-version the runtime DLLs you intend to use with your program.
Microsoft undoubtedly has created debug versions of the newly fixed DLLs for their internal use, but they obviously did not check for "obsolete" versions of their own development systems with their GDI scanner program, nor did they replace the vulnerable debug DLLs they provided. I'd be very surprised if they have updated their debug packages with the new versions.
I just hid (renamed) my "I386" DLLs, as I don't develop graphics programs. If there is no debug version found, the system uses the runtime version and you just can't see disassembled code in your debugger. Someone who does write JPEG code would need to dig much more deeply here!
I also renamed the vulnerable DLLs in the Windows SxS "side-by-side" folders. Windows File Protection complained that I was modifying system files, but let me do it.
There is a list of the "current lifecycle" programs Mirosoft checks in their <http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx> bulletin. My old VS6, and unsupported things like the Visio Viewer, are not on the list.
Loren
-----
C:\WINDOWS\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
-----
I have a similar entry, part of Microsoft Visual Studio 6, or possibly a more recent "Debug Symbols" download
-----
N:\WINDOWS\Debug\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
-----
These are the debug versions of the DLLs, for use with a development system. If you look at the file sizes, they are probably larger than the standard runtime-only versions, because they contain additional debug information. They must come from Microsoft, and must match version-for-version the runtime DLLs you intend to use with your program.
Microsoft undoubtedly has created debug versions of the newly fixed DLLs for their internal use, but they obviously did not check for "obsolete" versions of their own development systems with their GDI scanner program, nor did they replace the vulnerable debug DLLs they provided. I'd be very surprised if they have updated their debug packages with the new versions.
I just hid (renamed) my "I386" DLLs, as I don't develop graphics programs. If there is no debug version found, the system uses the runtime version and you just can't see disassembled code in your debugger. Someone who does write JPEG code would need to dig much more deeply here!
I also renamed the vulnerable DLLs in the Windows SxS "side-by-side" folders. Windows File Protection complained that I was modifying system files, but let me do it.
There is a list of the "current lifecycle" programs Mirosoft checks in their <http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx> bulletin. My old VS6, and unsupported things like the Visio Viewer, are not on the list.
Loren
Thanks for the info:
My windows XP CD has the same directory as Koan:
\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS
I think the directory that Koan is seeing is when computer manufacturers copy the entire cd onto the hard drive so that files are available. DOes not hurt to rename that file and replace it with the latest redistributable
My windows XP CD has the same directory as Koan:
\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS
I think the directory that Koan is seeing is when computer manufacturers copy the entire cd onto the hard drive so that files are available. DOes not hurt to rename that file and replace it with the latest redistributable
Kudos and thumbs up to Grinler for his amazing tutorial !! It's amazing, particularly if you have earlier tried to read MS'es ms04-028 FAQ section .... and used their tool to disocver potential GDI+ dll issues !
/Zvika
/Zvika
My SXS.DLL vulnerable version is at C:I386SXS.DLL. It is version 5.1.2600.1106. I have another SXS.DLL at C:WindowsServicePackFilesi386sxs.dll. It is version 5.1.2600.2180 and shows that it is NOT a vulnerable file. Can I replace the vulnerable file with this one? I have XP home with SP2. 
Yes you can..just make sure you make a backup of the one under c:\i386.
Just so you know the c:\i386 is most likely a entire copy of the operating system so is not actively vulnerable, but if new windows components are added in the future it may, large may, becomne a problem.
Just so you know the c:\i386 is most likely a entire copy of the operating system so is not actively vulnerable, but if new windows components are added in the future it may, large may, becomne a problem.
Hi all. How about the 'possibly vulnerable' list that GDISCAN finds?
My XP system passed Microsoft's scan with no GDI+ vulnerabilities found. My GDISCAN found these - all in the Windows folder except for one at the bottom which is a 'shared' thing. Any recommendations to do anything about any of these at this point? Thanks.
Scanning Drive C:...
C:\WINDOWS\system32\dllcache\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\system32\dllcache\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes)
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
Scan Complete.
My XP system passed Microsoft's scan with no GDI+ vulnerabilities found. My GDISCAN found these - all in the Windows folder except for one at the bottom which is a 'shared' thing. Any recommendations to do anything about any of these at this point? Thanks.
Scanning Drive C:...
C:\WINDOWS\system32\dllcache\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\system32\dllcache\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes)
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
Scan Complete.
Hi Grinler,
I downloaded and installed the GDIplus.dll over the corrupted one as instructed in the beginning of this topic. The following was also downloaded in Notepad with the download;
===========Gdiplus.dll====================================
For Windows XP use the system-supplied gdiplus.dll. Do not install a new gdiplus.dll over the system-supplied version (it will fail due to Windows File Protection).
For Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, install gdiplus.dll into the private directory of the application not into the system directory.
In addition to the rights granted in Section 1 of the Agreement ("Agreement"), with respect to gdiplus.dll for Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, you have the following non-exclusive, royalty free rights subject to the Distribution Requirements detailed in Section 1 of the Agreement:
(1) You may distribute gdiplus.dll solely for use with Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98.
======================================================
I have Windows XP and it replaced the vulnerable DLL and shows no vulnerability when I re-scan it. I put the vulnerable DLL in a separate folder and that shows vulnerable in a scan. Do I need to worry about keeping that in a separate folder and getting exploited later or should I just place it in the Recycle Bin?
I downloaded and installed the GDIplus.dll over the corrupted one as instructed in the beginning of this topic. The following was also downloaded in Notepad with the download;
===========Gdiplus.dll====================================
For Windows XP use the system-supplied gdiplus.dll. Do not install a new gdiplus.dll over the system-supplied version (it will fail due to Windows File Protection).
For Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, install gdiplus.dll into the private directory of the application not into the system directory.
In addition to the rights granted in Section 1 of the Agreement ("Agreement"), with respect to gdiplus.dll for Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98, you have the following non-exclusive, royalty free rights subject to the Distribution Requirements detailed in Section 1 of the Agreement:
(1) You may distribute gdiplus.dll solely for use with Windows 2000, Windows Millennium Edition, Windows NT 4.0 and Windows 98.
======================================================
I have Windows XP and it replaced the vulnerable DLL and shows no vulnerability when I re-scan it. I put the vulnerable DLL in a separate folder and that shows vulnerable in a scan. Do I need to worry about keeping that in a separate folder and getting exploited later or should I just place it in the Recycle Bin?
CBCB,
I would prob replace the ones here:
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
With the ones found in my link above. Just make sure you make a backup.
jon_fl,
I would hold onto the originals ...just rename them from gdiplus.dll to gdiplus.bad
or something like that
I would prob replace the ones here:
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
With the ones found in my link above. Just make sure you make a backup.
jon_fl,
I would hold onto the originals ...just rename them from gdiplus.dll to gdiplus.bad
or something like that
Here is my scan. Nothing shows in red. Am I O.K.?....................{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Verdana;}{\f1\fswiss\fprq2\fcharset0 Verdana;}}{\colortbl ;\red0\green0\blue0;\red255\green0\blue0;\red180\green180\blue0;}\viewkind4\uc1\pard\cf1\f0\fs17 Scanning Drive C:...\parC:\\Program Files\\Common Files\\Microsoft Shared\\VGX\\vgx.dll\par \cf1\f0Version: 6.0.2800.1411\parScan Complete.\par}
I am assuming your a 98 or me machine which is why the formatting is so strange.
But reading between all the formatting text, it looks good.
But reading between all the formatting text, it looks good.
Yes, Grinler I have ME. I thought it looked strange too. Thanks
I am trying to scan other computers on our network. Tom Listen thought that the command line version would be able to handle a UNC for the drive letter. Perhaps I am not doing it right. Any suggestions?
Disregard, it does work-slowly and put the log file in my u: drive - duh:
U:\>gdiclscan.exe
Usage:
GDICLScan.exe driveletter [driveletter...] logfilename
U:\>gdiclscan.exe \\how1example\c$ gdiplus.txt
U:\>gdiclscan.exe
Disregard, it does work-slowly and put the log file in my u: drive - duh:U:\>gdiclscan.exe
Usage:
GDICLScan.exe driveletter [driveletter...] logfilename
U:\>gdiclscan.exe \\how1example\c$ gdiplus.txt
U:\>gdiclscan.exe
Nice ! Thanks for sharing the tip with us
Hi,
Anyone help with Visio Viewer?, I cannot find a poatch or workaround :-(
Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.DLL
Version: 6.0.2800.1411
C:\Program Files\Microsoft Office\Visio Viewer\gdiplus.dll
Version: 5.1.3100.0 <-- Vulnerable version
C:\Program Files\ProgramCache\office\Source\PFILES\COMMON\MSSHARED\VGX\VGX.DLL
Version: 5.0.3014.1003 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll
Version: 5.1.3101.0 <-- Vulnerable version
C:\WINNT\system32\dllcache\vgx.dll
Version: 6.0.2800.1411
Scan Complete.
Cheers,
Rob
Anyone help with Visio Viewer?, I cannot find a poatch or workaround :-(
Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.DLL
Version: 6.0.2800.1411
C:\Program Files\Microsoft Office\Visio Viewer\gdiplus.dll
Version: 5.1.3100.0 <-- Vulnerable version
C:\Program Files\ProgramCache\office\Source\PFILES\COMMON\MSSHARED\VGX\VGX.DLL
Version: 5.0.3014.1003 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll
Version: 5.1.3101.0 <-- Vulnerable version
C:\WINNT\system32\dllcache\vgx.dll
Version: 6.0.2800.1411
Scan Complete.
Cheers,
Rob
Have you tried download the microsoft redistributable and seeing if the programs works properly? Remember to backup the existing dll first
I am about to replace some of gdiplus.dll files on my computers. I have a few questions.
1. Can you expand a bit on the C:\ I36 directory? I have also the ASMS folder within with a bunch of numbered subfolders.
2. I did DL from MS the gdiplus.dll they offer- it is version 3102.1360. Yey my system shows a .dll version # 3102.2180. A newer version than the one they are giving me? Just wondering.
3. I realize that after replacing the vulnerable dll with the new one I should scan again. But, how do I check to see that the dll is doing its thing--irrespective of vulnerability?
Thanks for the great tutorial!!
1. Can you expand a bit on the C:\ I36 directory? I have also the ASMS folder within with a bunch of numbered subfolders.
2. I did DL from MS the gdiplus.dll they offer- it is version 3102.1360. Yey my system shows a .dll version # 3102.2180. A newer version than the one they are giving me? Just wondering.
3. I realize that after replacing the vulnerable dll with the new one I should scan again. But, how do I check to see that the dll is doing its thing--irrespective of vulnerability?
Thanks for the great tutorial!!
QUOTE
1. Can you expand a bit on the C:\ I36 directory? I have also the ASMS folder within with a bunch of numbered subfolders.
Many manufactures or computer vendors copy the entire i386 directory from the microsoft cd to your computer so that if you need to access those files later, to install drivers etc, you can copy the files directly off your hard drive instead of the cdrom.
QUOTE
2. I did DL from MS the gdiplus.dll they offer- it is version 3102.1360. Yey my system shows a .dll version # 3102.2180. A newer version than the one they are giving me? Just wondering.
Is the one that shows 3102.2180 being seen as vulnerable or possibly vulnerable?
QUOTE
3. I realize that after replacing the vulnerable dll with the new one I should scan again. But, how do I check to see that the dll is doing its thing--irrespective of vulnerability?
Just test the applications that seem to use the possibly vulnerable dll. If they work fine then you are ok. As always make a backup in case you discover problems in the future.
Thanks for the response-I've already replaced the vulnerable-version in the 1386 Dir on one machine--but it's doubtful that I will ever be able to test/evalute it because I don't think its being used--I will check to see later.
Your question--the newer file is in SYSTEM32\gdiplus--version 5.12600.2180 and is not shown as vulnerable--I am presuming that this dll will be the one used if I do anything with JEPGs.--I will check this also.
I would like to know more about the" side by side" stuff-- I will read furiously--TKS
Your question--the newer file is in SYSTEM32\gdiplus--version 5.12600.2180 and is not shown as vulnerable--I am presuming that this dll will be the one used if I do anything with JEPGs.--I will check this also.
I would like to know more about the" side by side" stuff-- I will read furiously--TKS
I would leave the system32\gdiplus alone. Only replace if its an older version and showing as vulnerable
I still have one gdiplus.dll left after replacing with the downloaded dll. It only shows up when I do a scan. Please advise.
C:\Program Files\MSN\MSNCoreFiles.BAK.FEC69D39-ADBA-4928-98F0-3571AA97ABDF\gdiplus.dll
Version: 5.1.3102.1316 <-- Vulnerable version
C:\Program Files\MSN\MSNCoreFiles.BAK.FEC69D39-ADBA-4928-98F0-3571AA97ABDF\gdiplus.dll
Version: 5.1.3102.1316 <-- Vulnerable version
In the tutorial it tells you of a downloadable redistributable from microsoft. Please follow the instruction on downloading and replacing the one that you are aseeing as fvulnerable. I am inferring from the pathname that it is a backup file and you are probably not using it, but it is safer to replace it anyway
I don't want to be a bother, but I am not able to locate that file. Is there some trick to finding it. It doesn't show when I check show hidden files.
Thanks for your quick response.
Thanks for your quick response.
Click on start, then run, and paste in the following into the field:
C:\Program Files\MSN\MSNCoreFiles.BAK.FEC69D39-ADBA-4928-98F0-3571AA97ABDF\
And press the ok button. That should open the directory if it exists
C:\Program Files\MSN\MSNCoreFiles.BAK.FEC69D39-ADBA-4928-98F0-3571AA97ABDF\
And press the ok button. That should open the directory if it exists
I guess it doesn't exist.
Thank you for your help. I guess I will have to live with the situation and hope I don't use it.
Thank you for your help. I guess I will have to live with the situation and hope I don't use it.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.