Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Bug Microsoft

GDI Vulnerabilities: An Open Letter to Microsoft 444

UnderAttack writes "Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
This discussion has been archived. No new comments can be posted.

GDI Vulnerabilities: An Open Letter to Microsoft

Comments Filter:
  • by diginux ( 816293 ) on Monday September 27, 2004 @01:36PM (#10364901) Homepage
    which he calls 'worse then useless'
    So it gets worse, _then_ it is useless? :)
    • by BlueThunderArmy ( 751258 ) on Monday September 27, 2004 @01:41PM (#10364977) Homepage
      Still a step up from other MS products, which have to get *better* to become useless.
    • Kidding aside, the linked article spells 'than' correctly, so it's a misquote.
    • which he calls 'worse then useless'
      So it gets worse, _then_ it is useless? :)


      With 40+ subvariants of the patch, just saying "there's a vunerability on this here machine" without giving the source of the vunerability and the solution to patch said vunerability is dangerous, bordering on the criminally neglient concerning network security.
      • Comment removed (Score:5, Interesting)

        by account_deleted ( 4530225 ) on Monday September 27, 2004 @01:53PM (#10365118)
        Comment removed based on user account deletion
        • by LittleGuy ( 267282 ) * on Monday September 27, 2004 @02:30PM (#10365534)
          Please back up your assertion that this is "bordering" on criminally neglient.

          Analogy: there's a part of your car which could explode at anytime. It's been a long-standing part of your car. This part can manifest itself in different sections of the car or in different accesories added to your car. You which might be able to track down the part(s) if you are an adequate mechanic and you've kept track on where the parts have been put.

          You go back to the manufacturer who says, "Well, we can tell you if you have the part, but we're not sure where on the car, or how many different parts of the car, but you should really get the parts replaced or else the car will blow up".

          • by brianosaurus ( 48471 ) on Monday September 27, 2004 @03:30PM (#10366241) Homepage
            You're almost there, but...

            You take their word for it, put your car in the shop, then when you go pick it up, the mechanic tells you "OK. We did something, but we won't tell you what we did, and your car may still blow up."

            But that still doesn't answer the grandparent post's question of whether there is an actual law... Not that it matters, but its hard to take MS's focus on security seriously when their patching tools won't tell you whether or not you are vulnerable (just that you MAY be vulnerable). How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)
            main() {
            printf("Scanning for vulnerabilites...\n");
            sleep(5);
            printf("Your computer may be vulnerable. Please update.\n");
            }
            • by DA-MAN ( 17442 ) on Monday September 27, 2004 @04:10PM (#10366594) Homepage
              How is Microsoft's scanner any better than the code below? (and mine works cross-platform, too!)
              main() {
              printf("Scanning for vulnerabilites...\n");
              sleep(5);
              printf("Your computer may be vulnerable. Please update.\n");
              }


              Your right, it is cross platform
              $ uname -a
              Linux totoro 2.4.21-20.ELsmp #1 SMP Thu Sep 2 17:07:30 PDT 2004 i686 i686 i386 GNU/Linux

              $ ./foo
              Scanning for vulnerabilites...
              Your computer may be vulnerable. Please update.

              Yikes, I'll be back, gotta update my system . . .
        • Please back up your assertion that this is "bordering" on criminally neglient.

          Yes, yes. We all know how apologists will assert to their death that there is no negligence or violation of expected product quality unless there's death and dismemberment.

          Microsoft has been charging money for a product which has demonstrated it's ability to be substandard for over a decade. Open source software, at the very worst, is on par AND it gives customers infinite flexibility.
    • No, if it gets better then it will be useless. The idea is that it's so harmful, it's worse than just not existing. You've probably worked with some poeple like that.

    • by pbranes ( 565105 ) on Monday September 27, 2004 @01:47PM (#10365061)
      I totally agree with the 'worse than useless' statement. In my office, I had to disable it on the corporate SUS server because all it did was pop up and worry users. It gives no meaningful information. It does not patch all the dll's that it may or may not find. It merely scares users into thinking they had a virus. This is the only thing in my SUS list that is not approved and it will stay that way forever as far as I am concerned.
    • by KilobyteKnight ( 91023 ) <bjm.midsouth@rr@com> on Monday September 27, 2004 @02:10PM (#10365302) Homepage

      which he calls 'worse then useless'

      So it gets worse, _then_ it is useless? :)


      So far, everyone else responding seemed to have missed your point. The article correctly uses "worse than usless". It is the submitter and/or our ever so thorough Slashdot editors to blame for the "worse then useless" grammar mistake.

      And for all of you that missed the grammar mistake and are debating the meaning of "worse than useless", yes, things can be worse than useless. Things can be harmful. They can cause additional harm or frustration, as opposed to a useless item which just does not do anything useful.
    • 'Then' and 'than' used to be the same word (admittedly with an a rather than an e). They were temporarily given a distinct life, but apparently speakers of the language don't think it's worth the effort to maintain a distinction. Fortunately, there's no Academie Anglais, so if you don't like it, keep them distinct in your own speech and writing.
  • er, (Score:3, Insightful)

    by LurkerXXX ( 667952 ) on Monday September 27, 2004 @01:36PM (#10364905)
    Sooooo, how exactly is MS responsible for all 3rd party DLLs?
    • Re:er, (Score:5, Informative)

      by chill ( 34294 ) on Monday September 27, 2004 @01:38PM (#10364932) Journal
      They are actually 3rd party products that distribute Microsoft DLLs as part of the runtime code. The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.
      • by isn't my name ( 514234 ) <slash@@@threenorth...com> on Monday September 27, 2004 @01:44PM (#10365008)
        The argument is that these companies need permission from MS, who should then have a master list of who asked for permission and why.

        But, I'll bet that MS gives developers permission to distribute these with Visual Studio, which would mean there is no way that MS has a master list--moreover, much of the software may be for internal applications and the developer is long gone.

        So, any VB program that does image manipulation may be poetentially vulnerable.
        • by julesh ( 229690 ) on Monday September 27, 2004 @01:57PM (#10365166)
          But, I'll bet that MS gives developers permission to distribute these with Visual Studio,

          Its worse than that, the DLL in question is distributed (with permission to redistribute) in the free Platform SDK download.

          So, any VB program that does image manipulation may be poetentially vulnerable.

          I've used the DLL in question from C++ and Java/JNI programs before now. _Anything_ might be vulnerable. Check for "GDIPLUS.DLL" in your applications' install directories. Or use the tool linked from the article.
      • Re:er, (Score:3, Informative)

        by ClubStew ( 113954 )

        ...and do you do everything you're told? People are using unlicensed files all the time *cough* mp3s *cough*.

        Besides, 3rd party vendors are using a lot more than just gdiplus.dll. They may use mfcxx.dll, msvbvm60.dll (VB6 runtime), and a myriad of other modules. Few programs like cygwin don't touch modules installed by the OS.

        It's rediculous to think Microsoft is somehow responsible for every third-party application, whether it's using licensed components or not. But then again, the minions of /. are al

    • Re:er, (Score:2, Insightful)

      by diginux ( 816293 )
      They are responsible for informing you that 3rd party DLL's might infected, in my opinion.
      Also, if you write a program for searching out infected DLL's, why not do it for all libraries on the system?
      • Re:er, (Score:5, Insightful)

        by LurkerXXX ( 667952 ) on Monday September 27, 2004 @01:50PM (#10365088)
        So, is Linus going to put out an advisory that there may be some random explit in the Gimp that allows user level access to hackers? I know there must be some random buffer overflow in the Gimp somewhere. Linus should point this out according to your logic, shouldn't he?

        Kinda silly eh?

        Of course 3rd party apps might have exploits. It's up to those 3rd party vendors to supply patches. Even if the code is originally based on MS code, the 3rd party vendor may have modified it in any variety of ways and MS has no idea if those will be dangerous versions or not. MS has identified the bad code, the 3rd party vendors have been notified about it. It's up to them to tell you if their version is bad or not, and patch their software.

        • by JoeBar ( 546577 ) on Monday September 27, 2004 @01:58PM (#10365170)
          Rule #1 You do not talk bad about Linux Rule #2 You do not talk bad about Linux
        • Re:er, (Score:5, Insightful)

          by julesh ( 229690 ) on Monday September 27, 2004 @02:11PM (#10365313)
          So, is Linus going to put out an advisory that there may be some random explit in the Gimp that allows user level access to hackers? I know there must be some random buffer overflow in the Gimp somewhere. Linus should point this out according to your logic, shouldn't he?

          If Linus wrote the code, and told the application authors that they were only allowed to use it by accessing a .so file (installed into a special directory for each application that uses it, for no good reason that anyone could gather, and Linus insists that they aren't allowed to modify it in any way), and there was then an update to that .so file, I would expect the update that Linus issued to fix all copies of it, yes.

          Of course, nobody behaves like this in the Linux world. Shared libraries are installed to /lib or /usr/lib and you only have one copy of each of them. An update would ensure that the single copy you depended on had the vulnerability eliminated.
          • Re:er, (Score:4, Insightful)

            by pjrc ( 134994 ) <paul@pjrc.com> on Monday September 27, 2004 @03:18PM (#10366114) Homepage Journal
            Of course, nobody behaves like this in the Linux world.

            I believe you missed the zlib buffer overflow, which turned out to be staticly linked into many applications, as well as in the shared library.

            Yeah, not quite the same, since static linking is different (perhaps worse) than having lots of copies of the DLL in different directories, as far as updating is concerned. Also, a different situation because developers had the option to link the way they wanted.

            But to say this sort of thing never happens in the "linux world" and that all library security bugs are easily cured for all apps by updating the shared libs neglects some really unfortunate occurances like the zlib buffer overflow.

    • Re:er, (Score:2, Funny)

      by Anonymous Coward
      Sooooo, how exactly is MS responsible for all 3rd party DLLs?

      They just are, okay. Now quit asking questions or you'll be forced to hand in your /. UID...
    • Re:er, (Score:4, Insightful)

      by White Roses ( 211207 ) on Monday September 27, 2004 @01:41PM (#10364968)
      Because it's not a 3rd party DLL? Because it's a MS DLL distributed by a 3rd party? It's still MS's code. RTFA.
      • so does it follow that if it were an open source DLL and the 3rd party could alter it, then it wouldn't be MS' problem and security would therefore suffer?

        Interesting logical trap there...
    • Re:er, (Score:2, Funny)

      by zygote ( 134175 )
      Responsible? Microsoft? "er," is right.
      Can't MS establish and enforce guidelines for third-party libraries so that they don't essentially break the OS (or parts thereof)? If one doesn't conform, the scanning tool from MS should warn the user: "Hey, we don't like this file because [insert reason.]
      The downside for Redmond would be this tool barfing on their own code.
    • Re:er, (Score:5, Informative)

      by Spoing ( 152917 ) on Monday September 27, 2004 @01:57PM (#10365155) Homepage
      1. Sooooo, how exactly is MS responsible for all 3rd party DLLs?

      While Microsoft isn't responsible for 3rd party DLLs, this is a different situation. They are partially responsible, and if they were interested in making the client systems secure they would handle things differently for what is really a simple file update.

      Reasons: They designed a system that requires 3rd parties to distribute DLLs that Microsoft created. If the DLLs were set in a well organized location, the updates of the system DLLs would automatically 'fix' the other programs. Versioning -- something that Windows DLLs support and programs can take advantage of -- would handle compatability issues that are not directly incompatable with this fix.

      • Re:er, (Score:3, Informative)

        "They designed a system that requires 3rd parties to distribute DLLs that Microsoft created."

        I've created many Windows applications and I've never distributed any MS DLLs.
  • by Anonymous Coward on Monday September 27, 2004 @01:37PM (#10364920)
    http://isc.sans.org//diary.php?date=2004-09-26

    Handlers Diary September 26th 2004
    Updated September 27th 2004 13:11 UTC (Handler: Tom Liston)
    GDI Vulnerabilities : An open letter to Microsoft

    GDI Vulnerabilities: An open letter to Microsoft

    Dear Redmond Folks:

    When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident's demise. I hated that basement.

    My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

    And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother's voice wafting down from above: "It's cooooooooming..... It's cooooooooming to get you......."

    And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.

    Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.

    MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I've read through it far too many times, and I still understand far too little.

    Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.

    [Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]

    What about those old gdiplus.dll files that we're all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)

    When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

    Please stop treating your customers like idiots and give us information; information that we can use.

    In other words: Turn on the lights and open the door. We're ready to come back upstairs now.

    -TL

    Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )
    • Hrm... the Internet Storm Center... slashdotted... that'd be interesting. Somewhat poetic. But doubtful.
    • This seems to be a trend for the "trustworthy computing initiative". I noticed that the much-hyped security features of XP SP2 consist mostly of the new firewall and popup blocker (which many people already had), along with more visible security reminders like that stupid shield that pops up when you download a file, visit an activeX using website, etc. It seems like they are trying to make the focus on security as visible as possible, without providing any real, useful details. I get the idea that it's mor
    • Look.. I'm all for this "copy all the text and save everyone the hassle of waiting on a /.ed server" bit, but I'm getting freakin' tired of seeing these posts. If the idea was to put everything here at Slashdot, the editors would do so right at the outset. Stop doing this pre-emptive crap.. especially with a page hosted by the ISC!
  • Dear Tom (Score:5, Funny)

    by Anonymous Coward on Monday September 27, 2004 @01:38PM (#10364928)
    When you need this tool, we will tell you and provide it for you. Until then, please continue buying our other tools.

    Bill
  • by pbranes ( 565105 ) on Monday September 27, 2004 @01:38PM (#10364931)
    In my SUS server at my corporation, I disabled this stupid tool because all it does it pop up with some confusing error message that the end user does not understand. Then they would all just call me asking about a weird popup they got on their screen. I am deploying the windows patch via SUS and the office pack via scripts, so there is nothing for the end user to do anyways.
  • 'Please stop treating your customers like idiots and give us information'


    I'm afraid that Microsoft dosn't know any better, they can't give you what they don't have.
  • by shoppa ( 464619 ) on Monday September 27, 2004 @01:42PM (#10364984)
    Scanning your own systems for vulnerabilities, especially when you have third-party stuff on it, is a tough job.

    You don't even need third-party stuff or an application to make it hard under Linux. Typical cycle is: kernel version x comes out in March. It's in a Red Hat release in July. Vulnerability found in September, with an immediate release of version x+1 on kernel.org (which also has a lot of changed/evolved drivers etc.) Red Hat back-patches the fix to version x and makes a new funny version number to signify this. They might include a couple other things from x+1 in the back-patch to version x. Except that the funny redhat version number doesn't signify much to anyone on the surface.

    Similar things happen for Red Hat (and other branded linux binary distributions) of Apache, SSL, etc., things that are all quite critical and you'd hope would be crystal-clear as to which patches your version has or doesn't have.

    Now finding whether version X of a library or application has a vulnerability patched usually isn't too hard. And Red Hat does a pretty good job of keeping on top, way better than say Microsoft.

    Disclaimer: I'm no fan of Microsoft, but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).

    • ...but I'm not a big fan of Red Hat (or, as I prefer, Head Rat) either (or any binary linux/gnu toolchain/popular application distro for that matter).

      Well, say that it's hard on one of those commercial distros then. For MY choses Linux setup, it's generally condensed down to:
      $ apt-get update
      $ apt-get upgrade
    • Nero? (Score:4, Informative)

      by gad_zuki! ( 70830 ) on Monday September 27, 2004 @02:00PM (#10365211)
      Anyone else getting this from the current version of Nero:

      C:\Program Files\Ahead\Nero Toolkit\gdiplus.dll
      Version: 5.1.3097.0 -- Vulnerable version

    • I don't think so!

      It's a complete different world...

      Normally you can see on security lists like bugtraq what kind of vulnerabilities are discovered, or patches which are available.

      Now you have different options.
      1. fix it yourself (you have the source)
      2. wait for maintainer of the program or library to release a patched version
      3. wait for your linux distro to release a patched version

      What I mean to say is, in Linux or other Open Source projects, it's pretty obvious what to fix or where the problem itself
    • I don't use Windows, so I haven't been able to experience this firsthand, but I don't think the point of the article was that scanning was easy. It isn't. That's why Red Hat's system is a pain in the ass. However if you follow their procedure, you can (eventually) get to a point where you are confident that you have eliminated the vulnerability.

      The problem with Microsoft's system is that even after you follow their patching procedure, you still don't know if the problem is fixed, and they give you no way
  • by MankyD ( 567984 ) on Monday September 27, 2004 @01:44PM (#10365016) Homepage
    Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this.

    Yes, the slashdot crowd and others might do well to receive more information regarding vulnerabilities and fixes for them, but the average user would be overwhelmed.

    I once mentioned to a gentleman that the standard encryption on an 802.11b WAP wasn't entirely secure and he panicked. He asked if hackers would steal his credit card and social security numbers. I asked if he ever shopped online or transmitted those numbers across the internet to which he replied emphatically no (he didn't even store them on his computer for that matter). He still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place. He promptly switched to using a ethernet based network.

    Most people are too stupid to be told even the fisrt thing about security. Better a patch is provided that works and they use it. Seeing as how the patch was not complete in this case, that'd differenty, yet the users should still be treated like morons.
    • still did not understand that a "hacker" can not steal his information from a WAP if it was never there in the first place.

      That's probably because WAP is a way of using web pages on cell phones. Perhaps you meant AP? Don't be so fast to call people idiots . . .
    • by ConceptJunkie ( 24823 ) on Monday September 27, 2004 @01:54PM (#10365121) Homepage Journal
      And all this approach does is scare the idiot users, because the typical computer-phobe will assume his machine's been infected with a virus.

      So really, the tool doesn't serve anyone well.

    • "Most users ARE idiots. It seems completely appropriate that they should be treated this way. I very much mean this."

      So ...

      Windows is made for idiots?
    • by Anonymous Coward on Monday September 27, 2004 @01:58PM (#10365177)
      "...Most users ARE idiots. It seems completely appropriate that they should be treated this way...."

      That's a little harsh especially considering your example. You can, of course, be a very smart person and not know much about wireless networking. That "gentleman" could be, for example, the lead scientist in a bio research project and if he asked you a question about something he had detailed knowledge of and you didn't know the answer he, too, could conclude most people are idiots.

      The world is full of technology that no one person can, or has the time, to absorb it all.
    • by maxpublic ( 450413 ) on Monday September 27, 2004 @02:19PM (#10365412) Homepage
      Most users ARE idiots.

      Everyone's an idiot in a field they know little or nothing about. Computer users want their machines to work; they don't want to know how they work, and why should they? You regularly use devices, or the products of devices, that you can't even begin to describe the manner in which they function, yet I don't see engineers or factory workers or mechanics standing up and calling you an idiot for not knowing how these things work, or for not wanting to learn how these things work.

      Computers don't get a special exemption to this rule. They're just tools like any other tool, nothing more.

      Max
      • Difference: I don't have to make sure software patches in my car work for my airbag to deploy. And when it doesn't deploy I or my beneficiaries can sue the hell out of the car company.

        I'm not saying you're wrong, but computers are totally different from factory machines or cars.

        But, really, you're arguing semantics. Idiots isn't the best word to use to describe users. Unknowledgable is better. They don't know about the system they're using, and they shouldn't have to. We trust car designers and vacuum cle

  • Other ways (Score:5, Insightful)

    by globring ( 192519 ) on Monday September 27, 2004 @01:45PM (#10365021)
    Any valid points the author has about the uselessness of the tool, or the general state of affairs with security at Microsoft, are dimished by his pompous attitude and snide remarks.

    Why not write a technically detailed letter about the code you find (since he read it so many times) and perhaps offer some constructive alternatives to improve it?

    Not only would it be more interesting to read, but they might actually be more willing to consider it.
  • I thought the LaBrea Tarpit had been around for millions of years....

  • I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.

    Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT [us-cert.gov] to issue their bulletins because they do a slightly better job of relaying useful information.
    • Yup. Lousy job of this whole thing. They show a patch available for Win2K with IE6 SP1, yet scanning said system with their tool says there is no vulnerability. Or did the fix magically get added into a different update that was already run?

      Another system claims that there 'may' be vulnerabilities. Installed all the patches that would apply. The tool still says the same thing.

      Another pretty stupid thing is that they have this run as part of Windows Update, but they really need to be able to have a wa
  • by Sneeper ( 182316 ) on Monday September 27, 2004 @01:47PM (#10365058)
    I like how the sans.org GDIscan (http://isc.sans.org/gdiscan.php) has the following warranty in all caps:

    HIS APPLICATION IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, ....

    His letter might as well read:
    Dear Microsoft,
    How dare you take no responsibility for the code you write? I am handing out a much better version.
    P.S. I take no responsibility for the code I write.
  • by Vexler ( 127353 ) on Monday September 27, 2004 @01:49PM (#10365077) Journal
    It seems that Microsoft, for all its blustery and arrogant, dismissive attitudes toward end users, manages to find itself in a quandary. If it releases too much vulnerability information, it could very well help exploits be written at a faster clip; if too little, then it risks being irrelevant. The timing is tricky too in this case.

    Another problem, though, may have something to do with the audience. Trying to be "all things to all people" (including less-than-clueful admins), it is likely that they decided to "dumb down" the announcement, in short proclaiming that your computer "may be vulnerable". Some could argue that it is language of FUD, but I would say that they are trying to impress on as many people as possible that this is not just another "critical" update. This one is really, really critical.
  • by garcia ( 6573 ) * on Monday September 27, 2004 @01:49PM (#10365083)
    I guess I am too smart for my own good... It told me to only check Office update as it seemed to know that I was already up-to-date on the OS side.

    So I go over there and download/install the updates. The only problem I saw with it was that I had to supply my Office CDs during the install (and it warned that might include a key -- luckily I had both in close proximity). If MSFT fucks up I shouldn't be the one that has to produce the CDs/Key to fix it. MSFT should happily go about the update without needing either of those two things. They shouldn't be allowed to check for piracy during a security fix.

    That's at least how I saw it.

    So I was all patched up according to the Windows Update and the Office Update sites and I figured I was done. Maybe I was too smart for my own good?
  • by Anonymous Coward on Monday September 27, 2004 @01:52PM (#10365101)
    Has anyone ever sent a closed letter?
  • by Anonymous Coward on Monday September 27, 2004 @01:53PM (#10365110)
    The Microsoft tool also misses several of Microsoft's own products, including the Office Viewers like Word viewer, Excel, Powerpoint, and Visio, all of which are vulnerable to the jpeg vulneraility.
  • humidifier (Score:5, Funny)

    by trailerparkcassanova ( 469342 ) on Monday September 27, 2004 @01:53PM (#10365115)
    My parents, in a vain attempt to rid the basement of its malodorous "twang" purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

    Uh, an extension cord perhaps?

  • by strAtEdgE ( 151030 ) on Monday September 27, 2004 @01:58PM (#10365175)
    ... first class on day one, they would cover off not including some pointless story about your childhood home which comprises half of the letter and has absolutely no relivence to the point of the letter, other than to say that windows users are "in the dark".

    Don't get me wrong, the letter itself was justified, and the author is right about the tool by microsoft I'm sure. But why is that story in there, to make sure that someone at Microsoft doesn't actually read it?
  • by vrt3 ( 62368 ) on Monday September 27, 2004 @02:00PM (#10365203) Homepage
    MS has written lots and lots of proza about this vulnerability, but I still don't know how to download the new updated gidplus.dll to redistribute. I've applied the update from windowsupdate.com to my computer, but I guess it would be a good idea to distribute an updated version to our customers. I just can't seem to find it anywhere.
  • by Ryu2 ( 89645 ) * on Monday September 27, 2004 @02:05PM (#10365254) Homepage Journal
    Microsoft did not write their own JPEG code; rather they used the freely available implementation from the Independent JPEG group. The flaw is actually in the IJG code, not any Microsoft code.

    Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)

    http://www.openwall.com/advisories/OW-002-netscape -jpeg/ [openwall.com]

    • "Microsoft did not write their own JPEG code"

      And they obviously never looked at it either, right?

      Not during their last "security initiative" and not during their PREVIOUS "security initiative" either.

      Anybody remember the "code freeze to tighten up security" several years back?

  • by corporatemutantninja ( 533295 ) on Monday September 27, 2004 @02:24PM (#10365472)
    Intentionally spreading FUD about their _own_ products?
  • Dumb Question (Score:5, Interesting)

    by ewhac ( 5844 ) on Monday September 27, 2004 @02:31PM (#10365551) Homepage Journal

    I have a dumb question. I admit it's a dumb question, because I've spent the last twenty years of my career working with non-Microsoft operating systems and products. The answer may be obvious to someone with that kind of experience, but not to me. So here goes:

    Why the hell are there multiple copies of the same, critical, shared system library floating around on the machine?

    See, where I come from, you have one copy of shared system libraries -- the latest one, with all the latest patches. This library is fully backward-compatible with all its predecessors. Further, the shared system libraries are all in the same place, so you know where to go looking to drop in updates or, if needs be, regressions. (On very, very rare occasions, there'll be a copy of a specific version living alongside the (by definition, broken) application that needs it.) This approach leads to clean system maintenance and ensures that all applications are using the same, up-to-date, best performance, most secure version of the system libraries.

    So why is Windows different? Why are there a zillion copies of GDI+ laying around? And why would you want it that way?

    Schwab

    • Re:Dumb Question (Score:5, Informative)

      by greendot ( 104457 ) on Monday September 27, 2004 @03:10PM (#10366022)
      Back in the day, it was recommended to put all system DLLs into the main system folder and all your custom DLLs into the app folder. But, Windows' awkward design and poor installation utilities led to many system DLLs being overwritten with old or broken versions. You would find yourself with a broken app and really no way to tell what caused it.

      So, to stop the headache, we started putting system DLLs locally, thanks to the path priority built into Windows - it always checks local folders first. And it worked, most of the time. If you asked for a DLL by name and another app was using an incompatible version, you would get still the stinky one. But, if you were first to the call then you knew you would get yours.

      But, the trend had taken root and like any good weed it is hard to get rid of.

      I don't even think this tool is checking for the other sneaky developer trick of renaming the DLLs, either to hide the fact that it's not licensed or other legal yet obscure reasons.
    • Re:Dumb Question (Score:3, Insightful)

      by Nevo ( 690791 )
      Actually, that's an excellent question. And believe it or not, the answer actually kinda makes sense.

      The file in question is gdiplus.dll. This file was included in Windows XP and Windows Server 2003, but was not part of previous operating systems.

      Therefore, apps that used this .dll (like Internet Explorer) when installed on previous operating systems (like Windows 2000) had to ship their own copy of the .dll.

      So some apps ship with their own copy, then along comes WinXP/2K3, and they add a second, syste
  • by AaronW ( 33736 ) on Monday September 27, 2004 @02:33PM (#10365575) Homepage
    I am surprised that Microsoft does not do what Linux does and have a common DLL provide all the JPEG functionality. At least in Linux, most, if not all apps, use libjpeg.so.

    Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.

    We saw this with png and other shared libraries. Also, offering many of these common libraries as DLLs helps reduce code bloat since every app no longer needs to reinvent the wheel.
    • Fixing a problem like this in Linux is trivial. Only libjpeg needs to be patched, and automagically, all apps that depend on that library are also rendered invulnerable.

      What about programs that have been compiled statically? It wouldn't be a good thing to patch the library and then assume all of your apps are fixed. I realize that not many people do static compilations when they can avoid it, but it does happen in the name of portability, or maybe in the odd binary package where the packager didn't feel
  • by antdude ( 79039 ) on Monday September 27, 2004 @03:37PM (#10366305) Homepage Journal
    According to NTBugtraq's article [ntbugtraq.com], TiVo [tivo.com] has software package that allows a user to setup an Image and Audio server on their PC. When connected to the same LAN as the TiVo it allows the image and audio files to be viewed on a TV via the TiVo DVR. The software uses gdiplus.dll file that has a JPEG parsing engine.
  • by 4of12 ( 97621 ) on Monday September 27, 2004 @04:10PM (#10366600) Homepage Journal

    and just buy your standard Windows GDI implementation from a different vendor that is more responsive to your needs and more willing to negotiate and work with you on cost discounts for flaws in their product.

    I mean, isn't that what you're supposed to do when a supplier feeds you something substandard?

To be awake is to be alive. -- Henry David Thoreau, in "Walden"

Working...