Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

GDI Vulnerabilities : An open letter to Microsoft

Published: 2004-09-26
Last Updated: 2004-09-27 13:11:50 UTC
by Tom Liston (Version: 1)
0 comment(s)
GDI Vulnerabilities: An open letter to Microsoft

Dear Redmond Folks:

When I was but a wee lad, we lived in a rather large, old house that had, among other charming qualities, a basement that would make even the bravest soul think twice before venturing downstairs. It was cavernous, ill lit, and, quite frankly, always smelled a little funny. My older brother, as older brothers are wont to do, would tell me fantastic stories about why the basement had that odor; generally centering on some unfortunate past resident’s demise. I hated that basement.

My parents, in a vain attempt to rid the basement of its malodorous “twang” purchased a dehumidifier which, because there was no electrical outlet anywhere near the floor drain, required emptying on a daily basis.

And, no matter how many times I begged, bribed and pleaded with my older brother, he would somehow know when I was making my daily trek to the basement and, as I was down there trying to pull the heavy bucket out of the dehumidifier, the lights would suddenly snap off, the basement door would slam shut, and I would hear my older brother’s voice wafting down from above: “It’s cooooooooming..... It’s cooooooooming to get you.......”

And there I stood: alone in the dark, unknown terrors approaching, armed only with a bucket of water.

Which is, curiously enough, almost exactly the position that Windows users find themselves in today: alone in the dark, unknown terrors approaching, but in their case, having a bucket of water would be an improvement.

MS04-028 is, perhaps, the epitome of bad technical writing -- the literary equivalent of spaghetti code. I’ve read through it far too many times, and I still understand far too little.

Your “GDI Scanning Tool” is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.

[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]

What about those old gdiplus.dll files that we’re all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)

When a third party vendor wants to distribute a Microsoft DLL with their product, don’t they have to get permission from you? Wouldn’t there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

Please stop treating your customers like idiots and give us information; information that we can use.

In other words: Turn on the lights and open the door. We’re ready to come back upstairs now.

-TL




------------------------------------------------------------------------

Handler on Duty : Tom Liston ( http://www.labreatechnologies.com )
Keywords:
0 comment(s)
Diary Archives