Action for Devs around MS04-028


Today we released two new security bulletins. MS04-028 is marked critical and there's specific action that Visual Studio users need to take with regards to this bulletin. Developers should read over the bulletin carefully and download and install the patches specific to Visual Studio .NET and the .NET Framework. Microsoft Security Bulletin Summary for September, 2004

Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

A remote code execution vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system.

Note This vulnerability might require the installation of several security updates. Review the entire column in the Affected Software and Download Locations summary table for the MS04-028 bulletin identifier to verify the updates that you have to install, based on the programs or components that you have installed on your system.

Comments (6)

  1. We really need some better way to update stuff for security reasons. Its almost certain that one program is not updated as it should when one is forced to follow this table…. – it really needs a more complete ‘windows update’ that takes care of that.

    just my 2 cents…

  2. I second that, and add: we even need one way to update stuff, because the security bulletin points to non-existent supposed downloads.

  3. I second it again, with the further addition: even when broken links get fixed so they now point to actual downloads, it’s still pretty confusing to figure out which downloads are actually needed.

  4. I ran all the patches that referred to products I knew were installed in my home machine. After that I searched all the hard disks for files called gdiplus.dll. There were half a dozen of them (surprisingly one of them was in a folder called "ink" under a branch of C:Program FilesCommon FilesMicrosoft, I would have thought that the current patches would have found that one). Now, what should I do? wait until each vendor releases patches that include the updated gdiplus?

    Would it be possible to have a "blacklist" of insecure dll’s and let the .NET runtime warn when opening them? Something like:

    This application is trying to run an insecure version of {0}, would you like to:

    ()run it anyway

    ()run a secure version instead

    ()create a policy to always run the updated version that doesn’t have this security problem

    ()always run the existing version and do not ask again

  5. Levi Stevens says:

    They provided a package that contained the updated GDIPLUS.DLL for the SDK. Are there issues with just a brute force replacement of any DLL that is found?

  6. Arne Thon says:

    The patch for IE 6.0 makes the proxy auto configuration script I’m using stop working!

Skip to main content