GDI+ vulnerability question

Author	All Replies
Morac join:2001-08-30 Riverside, NJ ·Comcast	GDI+ vulnerability question Since a lot of programs include their own copy of gdiplus.dll, I've been trying to go through my system and see which ones are vulnerable and which ones aren't. The Microsoft bulletin only states which versions are included with the patches, not which are vulnerable. Based on the lowest version number I could find in the KB article, it would seem that versions lower than 5.1.3102.3352 are vulnerable, but the current GDI+ platform SDK (updated today) is version 5.1.3102.1360. This would seem to indicate that anything older than 5.1.3102.1360 should be updated. Many of the programs I have already contain version 5.1.3102.1360 of gdiplus.dll even those that were released over 4 years ago. Is 5.1.3102.1360 or above safe? -- The Comcast Disney Avatar has been retired.
Morac join:2001-08-30 Riverside, NJ ·Comcast	to forum · permalink · · 2008-09-10 00:16:26 ·
Morac join:2001-08-30 Riverside, NJ ·Comcast	Well I think I answered my own question. I downloaded the GDI+ Platform SDK and despite the version number listed as being 5.1.3102.1360 on the page, it extracted a gdiplus.dll version 5.1.3102.5581 (the same as the XP SP3 version). So I'm guessing that 5.1.3102.1360 is vulnerable. -- The Comcast Disney Avatar has been retired.
Morac join:2001-08-30 Riverside, NJ ·Comcast	to forum · permalink · · 2008-09-10 00:39:14 ·
therube join:2004-11-11 Randallstown, MD	And so what, you're replacing all other versions that you have with the .5591 version? (.5591 is what I've got in /windows/system32/.) I'm not really familiar with gdiplus.dll but have you verified that the programs work/work correctly with the updated version of gdiplus.dll. Wonder if the programs specifically need to have gdiplus.dll in their directories, or if gdiplus.dll would be found so long as it is in your PATH (as /windows/system32/ would be)? (What ever happened to DLL hell?)
therube join:2004-11-11 Randallstown, MD	to forum · permalink · · 2008-09-11 14:07:07 ·
Morac join:2001-08-30 Riverside, NJ ·Comcast	I did replace all the old versions I had with the .5591, but if you have XP or Vista you have other options. My system doesn't have gdiplus.dll in the /windows/system32 directory. I'm not sure why, but it doesn't. It does have versions in the C:\WINDOWS\WinSxS\ (side-by-side) sub-directories. I'm not sure if deleting the "bad" gdiplus.dll files would have worked or not since I didn't try it. I supposed I could have just renamed the gdiplus.dll files and then tried to run the programs to see if they ran, but I didn't bother. DLL hell was "replaced" with side-by-side, but not all programs use it since doing so results in the programs only working in Windows XP or later (no Win 2000 or Win 98). -- The Comcast Disney Avatar has been retired.
Morac join:2001-08-30 Riverside, NJ ·Comcast	to forum · permalink · · 2008-09-11 14:24:54 ·
therube join:2004-11-11 Randallstown, MD	I was actually kidding about the DLL Hell part. But thanks for the side-by-side information. Never knew that. It says gdiplus.dll is a s-b-s assembly.
therube join:2004-11-11 Randallstown, MD	to forum · permalink · · 2008-09-11 14:59:09 ·


Saturday, 05-Dec 18:51:10	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. republican-creole page compression OFF