Saturday, 25 September 2004

XP for Me? No Thanks

As to why - from a Technical Cyber-Security Alert of last week :
This vulnerability affects the following Microsoft Windows operating systems by default:
  • Microsoft Windows XP and Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP 64-Bit Edition Service Pack 1
  • Microsoft Windows XP 64-Bit Edition Version 2003
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2003 64-Bit Edition

Other Microsoft Windows operating systems, including systems running Microsoft Windows XP Service Pack 2, are not affected by default. However, this vulnerability may affect all versions of the Microsoft Windows operating systems if an application or update installs a vulnerable version of the gdiplus.dll file onto the system.
Attackers can exploit this vulnerability by convincing a victim user to visit a malicious web site, read an HTML-rendered email message, or otherwise view a crafted JPEG image with a vulnerable application. No user intervention is required beyond viewing an attacker-supplied JPEG image.
See the image in the article below this one? Or even my picture on the left? Those are JPEG images. Although I know the one of my photo isn't malicious, I can't guarantee the same about any other image.

So how to prevent this vulnerability? Well, first install SP2 - service pack 2. But then you still have to be careful installing any new software, as that may have its own copy of gdiplus.dll. In fact, you may have dozens of vulnerable copies of this file on your system already, even after installing the service pack.

The latest data is available in the Microsoft Security Bulletin MS04-028.

Of course, alternately, don't use XP.

No comments: