It looks like a virus using the GDI+ Jpeg exploit has been developed and is in the wild. More information can be found here about what is happening:

http://www.easynews.com/virus.txt

Be sure to do your windows updates and read this tutorial:

GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability

Your information on this issue is excellent. i hope that I am not posting in the wrong place. i fixed 1 issue yesterday and have a big one to do today as i being a newbie didn't know that Microsoft works suite 2003 would have updates.
And microsoft works is showing as a vulnerability after a SANS scan.
C:\Program Files\Microsoft Works\gdiplus.dll

i have reviewed the tutorial and went to the novice one as well, as I tried an experiment with one update and didnot know what to do.

I have 2 questions, one is when it asks me where to save it should i indicate "C" drive? and second it asks for a path to be assigned to the update.
Do all updates paths for microsoft office that I need to do have the path


C:\Program Files\Microsoft Works\gdiplu.dll

I don't even understand the word path and don't want to make a mistake with my updated downloads which I have to do before i can put on the patch.

I should also say that I am on dialup and the updates will take 180 minutes. What happens if I get dropped during this time, as it does happen where I get disconnected on shorter downloads. Does information get lost?

I hope that you don't think I am totally out to lunch. I would appreciate your advice, thankyou

Generally, for office you want to go to officeupdate.com and run the updates through their. It will install all the updates for you automatically. I am not sure if it covers Microsoft Works but you should give it a try.

If you cant do that, then you can download the update to your C: drive, and then run it. It should automatically find your installation of works and update it.

Then run gdi scan again and see if it finds the same exploitable dll.

Not sure what updates you are looking at, but that seems a very big update for MS Works. What you CAN do is break up a series of updates and download them one at a time.
Cheers,
John

Thanx for the quick response you are a gem. This problem is really bothering me and especially as a newbie. i made sure my restore point was created lest I gum things up.
But I still have one question before I give it a try and that is what if I get dropped off my dial-up during the download which happens. Or is there a download program that is good at seeing that this doesnot happen that you can suggest the name of? And that is user friendly.
I am sorry for all the questions here but I lead the life of a growing mushroom when it comes to computers!!!!!!!!

Well if you are doing it through office update, it will not install the update until it is completely downloaded. And I believe it has a resume function in case of loss of connection.

For downloading of the files first through the web browser, it will not install as well until it is fully downloaded and you run it. So dont worry about that. I am not sure of any good programs though that perform autoresume.

Hi Grinler
first of all thanks for the excellent tutorial - what a rapid response to my request! (or were you planning it anyway?)
I have a similar problem to Georgia. The office update site in my case suggested I needed Service pack 3 for my Office XP products. This is a 180 min d/load, and I have tried it twice today, but the connection dropped twice, and there is no resume function, so it was back to start on both occasions, and I still haven't done it.

On the rare occasions that I d/load stuff in IE I use download express from meta products, which has a resume function, but I can't invoke it for MS updates. http://www.metaproducts.com/mp/default.asp
I don't fancy spending three hours watching the d/load in case the connection drops.

If anyone has any solutions to all this I guess we'd all be very grateful.

Another suggestion Grinler - how about a section of the board for interpretation of the GDI+ scan results, along the lines of HJT assistance! No, I know you have enough to do already, and it is appreciated, believe me!

Luci2a

You all can post your gdi results in the general security forums for people to look at ...that would be fine.

You may also be able to get these updates via cd from microsoft

Thanks Grinler.
I'll look into the CD suggestion - haven't seen it advertised anywhere, but who knows...
It's a mess isn't it - I can't understand any of it.

Luci2a.

Just been back to the update site, and did a search for "Office XP SP3 + cd" and got this! http://support.microsoft.com/default.aspx?...kb;en-us;832671

No CD though

ZD net reports the first actual instances of the use of the JPEG vulnerability has been found on usenet newgroups. More information is here:


http://news.zdnet.com/2100-1009_22-5385995.html

Regards,
John

Are we taking about MS Office (e.g. WORD) or MS WORKS?
Cheers,
John

Hi John

In my case it is Office XP, which contains Word etc, all in the 2002 version. I think Georgia was referring to Works.

I am extremely confused by all this. I have XPPro SP2, and the GDI tool did not appear automatically in my critical updates - I went to the update site to browse optional updates, and found the tool listed as "high priority".
To add to my confusion, it says in several places that SP2 users are not at risk.
I was directed to look for Office updates, and find that Service Pack 3 is described as a critical update. I never knew it was necessary to search actively for critical updates for Office products - I thought anything critical would show up automatically, or have I been wrong all this time?

I had one non-essential non-MS program which showed up on the GDI+ scan - a link to Fuji for printing my digital pics, and I have removed this as I don't use it anyway.

I don't know enough about anything to know what the vulnerabilities shown in the scan refer to. I'll take Grinler's advice and post the results of a scan after d/loading the SP3, if I ever manage to do it!

Yours, more and more muddled

Luci2a

Hi - You can order the CD, and it looks to be even free (as I went through the form), but there's the possibilty of a good week or so wait. If you know someone who has high speed Internet or if an admin can burn a CD at work for you that can help. I'm on dialup at home and I also had to burn my own copy.

Still, everyone should get patched up on Windows immediately with Windows Update and you can get Office XP protected later, as most likely the 1st threats will be thru email and hostile web sites. AV protection can help you on Office until you can get that patched.


Office 2003 SP1
http://www.microsoft.com/office/ork/updates/2003/o2k3cd.htm

Office XP SP3
http://www.microsoft.com/office/ork/updates/xp/Oxpsp3cd.htm

Hi Harry

The link for ordering the CD seems to be for US users only, but I'll keep searching.

thanks

Luci2a

Harry,
Thanks for the link to order the CD. I too on dialup and detest the wasted time.

The CD is free of all costs. I just ordered a copy this a.m. (SEE excerpt of order conformation below.)

At the time I ordered it, they were only displaying availability for North America.



"Part Number: 269-08261
Product Name: Office Pro XP Win32 English Patch CD SP3
Qty: 1
Unit Price: 0.00
Item Total: 0.00

Subtotal: 0.00
Shipping: 0.00
Tax: 0.00
Total: 0.00 USD
(USD = US Dollar)"

Just to add a new dimension to this story - I phoned M$ UK just now to request the CD of Office SP3. I was informed that the latest Office XP update is SP2 in Europe! According to "Dave" in Consumers, we in Europe are about 6 months behind you in the US, and he thinks I have been going to the "wrong" update site.
Strange, that, as it says Microsoft UK at the top of the update page.

He is going to send me the CD of Office SP2, which he thinks will do the trick.

Do I feel reassured......?

I am waiting for "Alan" to phone me back......

Luci2a

Ack...

Remember you can always replace the gdiplus.dll with the downloadable one from microsoft and see if it works...just back up the existing one first.

Grinler - how exactly do I do that? I don't know how to replace dlls, or how to back them up individually.
I'm too much of a newbie for all this!

...and still trying to do the SP3 download - it failed for the 4th time today, but I'm always out of the room when it happens, so I don't know why!

Thanks for the help. If I haven't been able to do the d/ld by, say, tomorrow - maybe I could ask you to look at the log and hold my hand through sorting it out.

Eternally grateful!

Luci2a

That woul dbe fine..lets try the sp3 first and then we will go with the next step

Hi Grinler
Well, I finally got SP3 and associated patches installed (R clicked on the files in the download center, rather than from Office Update, and was able to utilise download express and save the files where I can get at them)
After installing, I ran the GDI+ scan again.

C:\I386\SXS.DLL
Version: 5.1.2600.0 <-- Vulnerable version
C:\I386\VGX.DLL
Version: 6.0.2600.0 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.6714.0
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\$NtServicePackUninstall$\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\$NtServicePackUninstall$\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll
Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\ServicePackFiles\i386\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\ServicePackFiles\i386\vgx.dll
Version: 6.0.2900.2180
C:\WINDOWS\SYSTEM32\sxs.dll
Version: 5.1.2600.2180
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll
Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82\GdiPlus.dll
Version: 5.1.3102.2180
Scan Complete.

Only the first item shows up in red. The "possibly vulnerable" are in green.

Please can you tell me whether I need to do anything further about this. I don't have any idea what these files refer to!
Thank you very much for your help. It's all very puzzling for us non-techie types!
Luci2a

That one in the i386 directory is the original files from the windows cd which is why it is showing vulnerable. I would replace it with the one from \windows\system32 and run the tool again and see if its fixed then. THough its not able to hurt you there, we dont want a bad routine to copy it over for some reason

Just make a backup of it

Thank you Grinler, but how do I do this? You credit me with more expertise than I actuall have

I can see both the SXS files in the locations you describe. What do I do next? delete one, copy and paste the other? How do I back up the file, and where to? I have all my data stuff backed up onto CDRs - is this what you mean?

I'm sorry to have so many questions but I'm only a tiny way up the learning curve here, still trying to see the computer as my friend rather than my master.

Thank you very much for all your help!
Luci2a

Ok the vulnerable dll is at c:\i386. Find that dll , right click on it, click on rename.. and make sxs.dll.original

That is the new name of the file.

Then find the one in windows\system32 and right click on it, and click on copy


Then go back to c:\i386 and right click an empty area in that windows and right click and then click on paste

Thank you very much Grinler. Done that, and all red things gone now. The green "possibly vulnerable " remain - do I just ignore those?

This is a truly wonderful site. You are all so helpful and so friendly, never make us newbies feel bad.

Thank you!

Luci2a

THanks for the kind words... i would leave the possibly vulnerable versions alone for now as it is unclear about them