Re: Microsoft's GDI Detetection Tool faults

[John Bissell <monkey321_1 () hotmail com>]

In-Reply-To: <20040924141725.13699.qmail () www securityfocus com>

> Received: (qmail 18580 invoked from network); 25 Sep 2004 02:57:58 -0000
> Received: from outgoing.securityfocus.com (HELO outgoing2.securityfocus.com) (205.206.231.26)
>  by mail.securityfocus.com with SMTP; 25 Sep 2004 02:57:58 -0000
> Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
>       by outgoing2.securityfocus.com (Postfix) with QMQP
>       id 43EBF1464F4; Fri, 24 Sep 2004 10:24:36 -0600 (MDT)
> Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <bugtraq.list-id.securityfocus.com>
> List-Post: <mailto:bugtraq () securityfocus com>
> List-Help: <mailto:bugtraq-help () securityfocus com>
> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> Delivered-To: mailing list bugtraq () securityfocus com
> Delivered-To: moderator for bugtraq () securityfocus com
> Received: (qmail 13030 invoked from network); 24 Sep 2004 08:08:27 -0000
> Date: 24 Sep 2004 14:17:25 -0000
> Message-ID: <20040924141725.13699.qmail () www securityfocus com>
> Content-Type: text/plain
> Content-Disposition: inline
> Content-Transfer-Encoding: binary
> MIME-Version: 1.0
> X-Mailer: MIME-tools 5.411 (Entity 5.404)
> From: <albatross () tim it>
> To: bugtraq () securityfocus com
> Subject: Microsoft's GDI Detetection Tool faults
>
>
>
> Today I downloaded the a gdi+ vulnerability (MS04-028) detection tool published by The SANS. In contraddiction as the 
> report provided by MS gdidettool.exe it found two version of vulnerable dlls.
>
> Be warned don't trust only MS's detection tool! Do all steps to patch your machines.
>
> albatross
>
> P.S. I think this will be another nightmare for many people.... any news about SUS 2.0/WUS?

MicroSoft's detection tool is is almost worthless. I used that after finding out about the new GDI+ security hole and 
it reported very vague dumb information. Like "You may have a problem" then I installed the lame patch they oringally 
provided on the first day they reported the issue and I ran the detection tool again and it said the same thing! I 
haven't tried the SANS detection tool yet but I bet it is much much better then what I used with the MS detection tool. 
I can't believe how long it took MS to patch this issue (about a year!!!) and they still were not ready when they went 
public with how to fix the issue.

I predict there is going to be a major worm just around the corner exploiting the new GDI+ JPEG vulnerability... Now 
that a bunch of example exploits with "insert your shellcode here" have been posted it's only a matter of time before 
someone has the guts/ego to try to pull off a major worm taking advantage of this issue... 

To all the people out there who found out about this security problem as soon as MS posted about it (which I'm sure is 
a lot of people since the media covered the issue all over). Then I hope you guy's check Windows Update again for any 
patchs regarding the GDI+ JPEG issue because I learned about it right about when MS released the original patch and 
visited there site to download the patch which didn't really fix the problem.. Then about two weeks later I went back 
to Windows Update to see if there was anything new and they did actually post a good patch to really fix the problem.. 

So I'm betting there are people like me who thought they were patched after installing the patch provided on MS's 
website but didn't know there was anything new patchs regarding the GDI+ JPEG vulnerablity issue on Windows Update. 
Everyone better start getting the good patch soon before the new Sasser worm begins to spread! It's only a matter of 
time...

--HighT1mes