Monday, September 27, 2004
MS04-028 is perhaps one of the worst security vulnerabilites discovered in the recent past. Windows XP SP2 fixes the hole in Windows, but it seems like the afflicted DLL, gdiplus.dll, is everywhere. On Sans.org, there is an open letter to Microsoft about how poor an implementation the GDI+ detection tool his. I just ran this tool and told my system is vulnerable, here is a UI fragment: When you click on the "Yes" button, the user expects they will see what they have to do to cleanup the latest security mess. Which takes you to this page: How to Update Your Computer with the JPEG Processing (GDI+) Security Update Step 1 on the page above is to run Office Update Office Update tells me I have no patches to install, so I go back to the GDI+ Security Update page and I read it again. I have nothing left to do because I am on Windows XP. Quick recap: I patched everything up, and the GDI+ Detection Tool still tells me I am vulnerable, but I am left with no instructions on how to fix it. Good Job Microsoft! I am not the only one, I am starting to get questions from users on this too.