| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <414981E8.9070806@askgar.com> Date: Thu, 16 Sep 2004 07:07:04 -0500 From: Gary Warner <gar@...gar.com> To: Polazzo Justin <Justin.Polazzo@...ilities.gatech.edu>, bugtraq@...urityfocus.com, birmingham-infragard@...mingham-infragard.org Subject: Re: Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow On the Microsoft security briefing webcast yesterday they said that GDIPLUS.DLL is distributed with many applications. Depending on how those applications were built, simply replacing the DLL may break the app. They recommend applying Microsoft patches, and contacting the vendors of any apps associated with GDIPLUS. The GDI+ detection tool ONLY DETECTS CURRENTLY SUPPORTED MICROSOFT PRODUCTS. They confirmed on the call that older versions ARE VULNERABLE but that only CURRENT versions will be patched. Recommendation, of course, update to current on every version. There was special guidance for application developers dealing with whether the app was built in Visual Studio as a "Managed Application" or not. Rather than guess about that, I strongly recommend replaying the webcast. There's a PDF of the slides available, and the Q&A had many revealing deteails. From www.microsoft.com/technet/security/ go to the Register for September Webcast link even though the meeting is over, Register it will take you to a "View Recording" page which will let you stream the Live Meeting Replay in Windows Media Format. _-_ gar
Powered by blists - more mailing lists