BleepingComputer.com: JPEG Exploit Virus appears to be out and about

It looks like a virus using the GDI+ Jpeg exploit has been developed and is in the wild. More information can be found here about what is happening:

http://www.easynews.com/virus.txt

Be sure to do your windows updates and read this tutorial:

GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability

Your information on this issue is excellent. i hope that I am not posting in the wrong place. i fixed 1 issue yesterday and have a big one to do today as i being a newbie didn't know that Microsoft works suite 2003 would have updates.
And microsoft works is showing as a vulnerability after a SANS scan.
C:\Program Files\Microsoft Works\gdiplus.dll

i have reviewed the tutorial and went to the novice one as well, as I tried an experiment with one update and didnot know what to do.

I have 2 questions, one is when it asks me where to save it should i indicate "C" drive? and second it asks for a path to be assigned to the update.
Do all updates paths for microsoft office that I need to do have the path


C:\Program Files\Microsoft Works\gdiplu.dll

I don't even understand the word path and don't want to make a mistake with my updated downloads which I have to do before i can put on the patch.

I should also say that I am on dialup and the updates will take 180 minutes. What happens if I get dropped during this time, as it does happen where I get disconnected on shorter downloads. Does information get lost?

I hope that you don't think I am totally out to lunch. I would appreciate your advice, thankyou

Generally, for office you want to go to officeupdate.com and run the updates through their. It will install all the updates for you automatically. I am not sure if it covers Microsoft Works but you should give it a try.

If you cant do that, then you can download the update to your C: drive, and then run it. It should automatically find your installation of works and update it.

Then run gdi scan again and see if it finds the same exploitable dll.

Not sure what updates you are looking at, but that seems a very big update for MS Works. What you CAN do is break up a series of updates and download them one at a time.
Cheers,
John

Thanx for the quick response you are a gem. This problem is really bothering me and especially as a newbie. i made sure my restore point was created lest I gum things up.
But I still have one question before I give it a try and that is what if I get dropped off my dial-up during the download which happens. Or is there a download program that is good at seeing that this doesnot happen that you can suggest the name of? And that is user friendly.
I am sorry for all the questions here but I lead the life of a growing mushroom when it comes to computers!!!!!!!!

Well if you are doing it through office update, it will not install the update until it is completely downloaded. And I believe it has a resume function in case of loss of connection.

For downloading of the files first through the web browser, it will not install as well until it is fully downloaded and you run it. So dont worry about that. I am not sure of any good programs though that perform autoresume.

Hi Grinler
first of all thanks for the excellent tutorial - what a rapid response to my request! (or were you planning it anyway?)
I have a similar problem to Georgia. The office update site in my case suggested I needed Service pack 3 for my Office XP products. This is a 180 min d/load, and I have tried it twice today, but the connection dropped twice, and there is no resume function, so it was back to start on both occasions, and I still haven't done it.

On the rare occasions that I d/load stuff in IE I use download express from meta products, which has a resume function, but I can't invoke it for MS updates. http://www.metaproducts.com/mp/default.asp
I don't fancy spending three hours watching the d/load in case the connection drops.

If anyone has any solutions to all this I guess we'd all be very grateful.

Another suggestion Grinler - how about a section of the board for interpretation of the GDI+ scan results, along the lines of HJT assistance! No, I know you have enough to do already, and it is appreciated, believe me!

Luci2a

This post has been edited by luci2a: 28 September 2004 - 04:08 PM

You all can post your gdi results in the general security forums for people to look at ...that would be fine.

You may also be able to get these updates via cd from microsoft

Thanks Grinler.
I'll look into the CD suggestion - haven't seen it advertised anywhere, but who knows...
It's a mess isn't it - I can't understand any of it.

Luci2a.

Just been back to the update site, and did a search for "Office XP SP3 + cd" and got this! http://support.microsoft.com/default.aspx?...kb;en-us;832671

No CD though

ZD net reports the first actual instances of the use of the JPEG vulnerability has been found on usenet newgroups. More information is here:


http://news.zdnet.com/2100-1009_22-5385995.html

Regards,
John

Are we taking about MS Office (e.g. WORD) or MS WORKS?
Cheers,
John

This post has been edited by jgweed: 28 September 2004 - 04:16 PM

Hi John

In my case it is Office XP, which contains Word etc, all in the 2002 version. I think Georgia was referring to Works.

I am extremely confused by all this. I have XPPro SP2, and the GDI tool did not appear automatically in my critical updates - I went to the update site to browse optional updates, and found the tool listed as "high priority".
To add to my confusion, it says in several places that SP2 users are not at risk.
I was directed to look for Office updates, and find that Service Pack 3 is described as a critical update. I never knew it was necessary to search actively for critical updates for Office products - I thought anything critical would show up automatically, or have I been wrong all this time?

I had one non-essential non-MS program which showed up on the GDI+ scan - a link to Fuji for printing my digital pics, and I have removed this as I don't use it anyway.

I don't know enough about anything to know what the vulnerabilities shown in the scan refer to. I'll take Grinler's advice and post the results of a scan after d/loading the SP3, if I ever manage to do it!

Yours, more and more muddled

Luci2a

Hi - You can order the CD, and it looks to be even free (as I went through the form), but there's the possibilty of a good week or so wait. If you know someone who has high speed Internet or if an admin can burn a CD at work for you that can help. I'm on dialup at home and I also had to burn my own copy.

Still, everyone should get patched up on Windows immediately with Windows Update and you can get Office XP protected later, as most likely the 1st threats will be thru email and hostile web sites. AV protection can help you on Office until you can get that patched.


Office 2003 SP1
http://www.microsoft.com/office/ork/updates/2003/o2k3cd.htm

Office XP SP3
http://www.microsoft.com/office/ork/updates/xp/Oxpsp3cd.htm

Hi Harry

The link for ordering the CD seems to be for US users only, but I'll keep searching.

thanks

Luci2a

Harry,
Thanks for the link to order the CD. I too on dialup and detest the wasted time.

The CD is free of all costs. I just ordered a copy this a.m. (SEE excerpt of order conformation below.)

At the time I ordered it, they were only displaying availability for North America.



"Part Number: 269-08261
Product Name: Office Pro XP Win32 English Patch CD SP3
Qty: 1
Unit Price: 0.00
Item Total: 0.00

Subtotal: 0.00
Shipping: 0.00
Tax: 0.00
Total: 0.00 USD
(USD = US Dollar)"