Problems with MS security patch MS07-046

[asperamanca]

Hi all,

regarding the recent security patch

MS07-046 "Vulnerability in GDI could allow remote code execution"

I have found that certain applications compiled on Windows XP
Professional with this security patch will crash on different-language
machines (EN versus GER), regardless whether the patch is installed or
not.

I was able to verify this with Visual Studio 6.0 SP6, for an
application witch directly calls GDI functions of the windows API.

Microsoft support will not handle that matter, since VS 6.0 is no
longer supported. Still, I am pretty sure that not the programming
language, but the direct calls to the GDI library cause the problem.

Has anyone of you observed similar problems in programs written in VS
2003 or 2005? I don't expect them to show up if you use the built-in
GDI/GDI+ calls, only if you directly access the windows API (which
probably only legacy code will do).

We've tested it by compiling on an English Windows XP, and testing on
german XP, and vice versa. Don't know about other languages, but I
expect the problem to be similar.

Robert

 

[Allan]

Hi all,

regarding the recent security patch

MS07-046 "Vulnerability in GDI could allow remote code execution"

I have found that certain applications compiled on Windows XP
Professional with this security patch will crash on different-language
machines (EN versus GER), regardless whether the patch is installed or
not.

I was able to verify this with Visual Studio 6.0 SP6, for an
application witch directly calls GDI functions of the windows API.

Microsoft support will not handle that matter, since VS 6.0 is no
longer supported. Still, I am pretty sure that not the programming
language, but the direct calls to the GDI library cause the problem.

Has anyone of you observed similar problems in programs written in VS
2003 or 2005? I don't expect them to show up if you use the built-in
GDI/GDI+ calls, only if you directly access the windows API (which
probably only legacy code will do).

We've tested it by compiling on an English Windows XP, and testing on
german XP, and vice versa. Don't know about other languages, but I
expect the problem to be similar.

Robert

From your description of the problem, maybe it is time to update the legacy
application programs if you fstill need to deploy them. Otherwise uninstall
the update on the compiling machine for deployment compatibility reasons
that you mentioned. Recompile your applications after uninstallation for
deployment; this is not a very attractive option I admit.

 

[asperamanca]

From your description of the problem, maybe it is time to update the legacy
application programs if you fstill need to deploy them. Otherwise uninstall
the update on the compiling machine for deployment compatibility reasons
that you mentioned. Recompile your applications after uninstallation for
deployment; this is not a very attractive option I admit.

Well, it's clear that we compile without the patch on the compile
server for the time being - however, I really wonder whether the same
problem does NOT occur in legacy application (using direct GDI calls)
ported to .NET
Unfortunately, there's currently no way we could afford to "update the
legacy application" - it's actually a living in-development
application (since about 8 years), and we would need to completely re-
write it to "upgrade".
Now...re-write the results of 8 years of work in a hurry....

Robert