http://isc.sans.org/diary.php?date=2004-09-26

GDI Vulnerabilities: An open letter to Microsoft

Dear Redmond Folks:

When I was but a wee lad, we lived in a rather large, old
house that had, among other charming qualities, a basement
that would make even the bravest soul think twice before
venturing downstairs. It was cavernous, ill lit, and, quite
frankly, always smelled a little funny. My older brother, as
older brothers are wont to do, would tell me fantastic
stories about why the basement had that odor; generally
centering on some unfortunate past resident’s demise. I
hated that basement.

My parents, in a vain attempt to rid the basement of its
malodorous “twang” purchased a dehumidifier which, because
there was no electrical outlet anywhere near the floor
drain, required emptying on a daily basis.

And, no matter how many times I begged, bribed and pleaded
with my older brother, he would somehow know when I was
making my daily trek to the basement and, as I was down
there trying to pull the heavy bucket out of the
dehumidifier, the lights would suddenly snap off, the
basement door would slam shut, and I would hear my older
brother’s voice wafting down from above: “It’s
cooooooooming..... It’s cooooooooming to get you.......”

And there I stood: alone in the dark, unknown terrors
approaching, armed only with a bucket of water.

Which is, curiously enough, almost exactly the position that
Windows users find themselves in today: alone in the dark,
unknown terrors approaching, but in their case, having a
bucket of water would be an improvement.

MS04-028 is, perhaps, the epitome of bad technical writing
-- the literary equivalent of spaghetti code. I’ve read
through it far too many times, and I still understand far
too little.

Your “GDI Scanning Tool” is worse than useless. Run it, and
it tells you that you "may be vulnerable", and directs you
to Windows Update and Office Update. Go to Windows Update
and update everything you can find. Go to Office Update and
do the same. Run the scanner again, and it tells you that
you "may be vulnerable", and directs you to Windows Update
and Office Update. Lather, rinse, repeat.

[Which is why the ISC has made GDIScan.exe and GDICLScan.exe
available. See http://isc.sans.org/gdiscan.php for details.]

What about those old gdiplus.dll files that we’re all
finding in our Side-By-Side DLL directories? Are they a
problem? Why are you updating sxs.dll? Is there vulnerable
code in there, or did you just rig it to avoid using the bad
code in older versions of gdiplus.dll? (Hey, if you had
asked me years ago, I would have told you that this was a
serious problem with your Side-By-Side implementation.)

When a third party vendor wants to distribute a Microsoft
DLL with their product, don’t they have to get permission
from you? Wouldn’t there be a list somewhere in Redmond of
the third party applications that have distributed
vulnerable copies of gdiplus.dll? Can you tell us what they
are?

Please stop treating your customers like idiots and give us
information; information that we can use.

In other words: Turn on the lights and open the door. We’re
ready to come back upstairs now.

-TL

------------------------------------------------------------------------
Handler on Duty : Tom Liston (
http://www.labreatechnologies.com