Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GDI Scanner Released


  • Please log in to reply
3 replies to this topic

#1 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:59 PM

Posted 23 September 2004 - 01:47 PM

Severity Rating: Critical

MS has released a patch:
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

Non - Microsoft products are also vulnerable.

SANS Institute has released a scanner:
GDI Scan

Update ASAP the vulnerable products and your AV.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

BC AdBot (Login to Remove)

 


m

#2 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:10:59 PM

Posted 25 September 2004 - 06:00 AM

Thanks Cryo ... It's very important to test your PC and I give you an A+ for alerting our forum members :thumbsup: :flowers: ... I've got more details on the ISC tool in my blog and suggest that everyone run a copy of this and look for items flagged in RED

Internet Storm Center GDI+ Scan tool

I'd recommend that everyone run the GDIplus Scanner offered by ISC as noted above ... It's a neat and fast tool to detected vulnerabilities (just double-click after a 6KB download and they show up in the color red). It ain't a matter of IF but WHEN we'll see DANGEROUS JPEGs floating around in email and on hostile web sites

A new toolkit designed to create malformed and potentially dangerous JPEGs has been released to the public.

MS04-028 - JPEG Exploit Toolkit released to public
http://isc.sans.org//diary.php?date=2004-09-25

A toolkit designed to exploit a recently-disclosed Microsoft JPEG vulnerability has been released. The security hole compromises the system and creates a buffer overflow condition. This could potentially allow an attacker to create a JPEG file. The JPEG file would then over take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs.

http://www.theregister.co.uk/2004/09/24/jp...xploit_toolkit/

For a complete list of Operating Systems and Application Programs potentially affected by this see Microsofts information at:

http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

A group of Handler's have been "playing" with the toolkit. So far it hasn't worked too well. However, as with all of these, they have a tendancy to get better real fast. Therefore apply the patches on both the Operating Systems and Application Programs as recommended by Microsoft.

JPEG Hacktool

The 3 major anti-virus companies have now released definition files that will detect the JPEG exploits.

Symantec - Hacktool.JPEGDownload http://securityresponse.symantec.com/avcen...egdownload.html

McAfee - Exploit-MS04-028 http://us.mcafee.com/virusInfo/default.asp...&virus_k=128461

Trend Micro - HKTL_JPGDOWN.A http://www.trendmicro.com/vinfo/virusencyc...=HKTL_JPGDOWN.A

Edited by harrywaldron, 25 September 2004 - 06:06 AM.


#3 Daisuke

Daisuke

    Cleaner on Duty

  • Topic Starter

  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:09:59 PM

Posted 25 September 2004 - 11:41 AM

Thanks Cryo ... It's very important to test your PC and I give you an A+ for alerting our forum members :thumbsup: :flowers:

Thanks Harry, I'm flattered. :trumpet:

Is there a reason why I shouldn't replace vulnerable files in non-Microsoft products with non-vulnerable files from Microsoft products ?

I have replaced gdiplus.dll (vulnerable) in ConceptDraw V with a new one (updated) found in the Office folder. ConceptDraw V seems to work fine with this new file.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#4 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:10:59 PM

Posted 29 September 2004 - 06:01 AM

3rd party vendors that redistribute GDI+ dlls should provide an undated version. Substitution might also work okay for 3rd party products. When an updated version comes out for the 3rd party software, then you can patch up further.

MS doesn't recommend this for Office as it will get GDI+ registration out-of-sync with the Windows registry affecting future Office Updates.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users