Monday 27 September 2004

GDI Vulnerabilities : An open letter to Microsoft

If you have read Microsoft's MS04-028 bulletin and you are still confused as to whether this bulletin applies to you or not, or you simply could not understand the contents of the bulletin, you are not alone.

The SANS Internet Storm Center has an open letter to Microsoft on the convoluted contents of the MS04-028 Bulletin:

[...]

MS04-028 is, perhaps, the epitome of bad technical writing - the literary equivalent of spaghetti code. I've read through it far too many times, and I still understand far too little.

Your "GDI Scanning Tool" is worse than useless. Run it, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Go to Windows Update and update everything you can find. Go to Office Update and do the same. Run the scanner again, and it tells you that you "may be vulnerable", and directs you to Windows Update and Office Update. Lather, rinse, repeat.

[Which is why the ISC has made GDIScan.exe and GDICLScan.exe available. See http://isc.sans.org/gdiscan.php for details.]

What about those old gdiplus.dll files that we're all finding in our Side-By-Side DLL directories? Are they a problem? Why are you updating sxs.dll? Is there vulnerable code in there, or did you just rig it to avoid using the bad code in older versions of gdiplus.dll? (Hey, if you had asked me years ago, I would have told you that this was a serious problem with your Side-By-Side implementation.)

When a third party vendor wants to distribute a Microsoft DLL with their product, don't they have to get permission from you? Wouldn't there be a list somewhere in Redmond of the third party applications that have distributed vulnerable copies of gdiplus.dll? Can you tell us what they are?

Please stop treating your customers like idiots and give us information; information that we can use.

Related Reading