GDISCAN Result (JPEG Exploit) Which SXS.DLL does windows xp use ???

Skybuck Flying · Sep 28, 2004

Scanning Drive C:...

C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.3501.0 <-- Possibly vulnerable (Under OfficeXP only)

C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1
only)

These two might be fixed with office update ?

C:\WINDOWS\$NtUninstallKB833987$\sxs.dll
Version: 5.1.2600.0 <-- Possibly vulnerable (Backup for uninstall purposes)

Could be deleted/renamed.

C:\WINDOWS\$xpsp1hfm$\KB833987\asms\10\msft\windows\gdiplus\gdiplus.dll
Version: 5.1.3102.1360

C:\WINDOWS\$xpsp1hfm$\KB833987\sxs.dll
Version: 5.1.2600.1363

C:\WINDOWS\$xpsp1hfm$\KB839645\sxs.dll
Version: 5.1.2600.1515

C:\WINDOWS\LastGood\system32\dllcache\vgx.dll

Version: 6.0.2600.0 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1
only)

C:\WINDOWS\LastGood\system32\sxs.dll

Version: 5.1.2600.0 <-- Vulnerable version

I never knew windows had a LastGood folder...

This is a bit worrieing.

C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.136 <-- Vulnerable version

This is most worrieing.

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-w
w_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.1_x-w
w_8d353f14\GdiPlus.dll
Version: 5.1.3100.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)

These two might be because of .NET ? Which might be fixed with a .NET
upgrade ?

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.13
60_x-ww_24a2ed47\GdiPlus.dll
Version: 5.1.3102.1360

Scan Complete.

So the big question is:

Does windows use:

1.

C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.136 <-- Vulnerable version

or

2.

Does it use one of these

C:\WINDOWS\$xpsp1hfm$\KB833987\asms\10\msft\windows\gdiplus\gdiplus.dll
Version: 5.1.3102.1360

C:\WINDOWS\$xpsp1hfm$\KB833987\sxs.dll
Version: 5.1.2600.1363

C:\WINDOWS\$xpsp1hfm$\KB839645\sxs.dll
Version: 5.1.2600.1515

?????

I would feel saver if all vunerable sxs.dll's where removed

P.S.:

I also tried renaming the sxs.dll to something else... but then windows
starts nagging about the file no longer being recgonized etc... and that it
starts maybe using some other sxs.dll ???? So I didn't like that warning so
I renamed it back to sxs.dll.

Bye,
Skybuck.

Rebecca Chen [MSFT] · Sep 28, 2004

Hi Skybuck,

Yes, all files are correct and they're not harmful based on the version
info.

Please refer to the following pages:

Microsoft Security Bulletin MS04-028
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

Microsoft Security Bulletin MS04-024
http://www.microsoft.com/technet/security/bulletin/ms04-024.mspx

Expand the "Security Update Information" on the above pages and then expand
"Windows XP". You will be able to see the version info for the files you
mentioned in the post.

In another hand, the "LastGood" folder is for "Last known good
configuration" and it's a normal folder. If you're interested in this,
please search for "LastGood" at Microsoft.com.

HTH.

Have a nice day!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA

Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

Torgeir Bakken \(MVP\) · Sep 28, 2004

Skybuck said:
Scanning Drive C:...

C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.3501.0 <-- Possibly vulnerable (Under OfficeXP only)

C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1
only)

These two might be fixed with office update ?

Mso.dll, yes, vgx.dll, no. For WinXP, you can disregard the vgx.dll file.

Read more about this here:
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

[snip]

C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.136 <-- Vulnerable version

This is most worrieing.

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-w
w_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.1_x-w
w_8d353f14\GdiPlus.dll
Version: 5.1.3100.0 <-- Possibly vulnerable (Windows Side-By-Side DLL)

These two might be because of .NET ? Which might be fixed with a .NET
upgrade ?

No, this will not be updated by a .Net update, but this one will (or really
not, the old GdiPlus.dll files in WinSxS will not be replaced, see further
down for more on this):

Security Update for Windows XP (KB833987)
http://www.microsoft.com/downloads/...C1-63BD-4213-82C1-20266FDFD735&displaylang=en

C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.13
60_x-ww_24a2ed47\GdiPlus.dll
Version: 5.1.3102.1360

Scan Complete.

So the big question is:

Does windows use:

1.

C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.136 <-- Vulnerable version

Yes, this is the one that is used (in addition to the GdiPlus.dll files
in the WinSxS\... folder structure).

The "Security Update for Windows XP (KB833987)" (link above) will
install a new sxs.dll that installs a SxS (side by side) policy that
will make sure that when a GdiPlus.dll is to be used from the WinSxS
folder, the system uses the new GdiPlus.dll file in WinSxS (also
installed by the same update).

Looking at the security update information section here
http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

version 5.1.2600.136 of sxs.dll is not vulnerable (I assume that you
have WinXP SP0).

or

2.

Does it use one of these

C:\WINDOWS\$xpsp1hfm$\KB833987\asms\10\msft\windows\gdiplus\gdiplus.dll
Version: 5.1.3102.1360

C:\WINDOWS\$xpsp1hfm$\KB833987\sxs.dll
Version: 5.1.2600.1363

C:\WINDOWS\$xpsp1hfm$\KB839645\sxs.dll
Version: 5.1.2600.1515

This is just files/folders used for uninstallation of updates. Safest
would be to delete all uninstall folders to avoid old GDI+ vulnerable
versions being re-installed later on if you do an uninstall of an
update.

You should delete all $NtUninstall... folders (and then you can delete
the $xpsp1hfm$ folder as well).

skybuck · Sep 28, 2004

Ok the link contains this information:

Date Time Version Size File name Folder
--------------------------------------------------------------------------
09-Mar-2004 01:58 5.1.2600.136 646,656 Sxs.dll SP1 (Pre SP1)
02-Mar-2004 21:19 5.1.3102.1360 1,638,400 Gdiplus.dll SP1 (Pre SP1)

Does this mean these two versions are vunerable or not vunerable ?

09-Mar-2004 02:25 5.1.2600.1363 676,864 Sxs.dll SP2 (With SP1)
02-Mar-2004 21:19 5.1.3102.1360 1,638,400 Gdiplus.dll SP2 (With SP1)

What about these two ?

Anyway... the GDISCAN is reporting that the first one is still vunerable.

09-Mar-2004 01:58 5.1.2600.136 646,656 Sxs.dll SP1 (Pre SP1)

C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.136 <-- Vulnerable version

So there are two possibilities:

1. GDISCAN is wrong.

or

2. Microsoft is wrong.

Bye,
Skybuck.

Torgeir Bakken \(MVP\) · Sep 28, 2004

[adding microsoft.public.windowsxp.general back again]

Ok the link contains this information:

Date Time Version Size File name Folder
--------------------------------------------------------------------------
09-Mar-2004 01:58 5.1.2600.136 646,656 Sxs.dll SP1 (Pre SP1)
02-Mar-2004 21:19 5.1.3102.1360 1,638,400 Gdiplus.dll SP1 (Pre SP1)

Does this mean these two versions are vunerable or not vunerable ?

Not vulnerable.

09-Mar-2004 02:25 5.1.2600.1363 676,864 Sxs.dll SP2 (With SP1)
02-Mar-2004 21:19 5.1.3102.1360 1,638,400 Gdiplus.dll SP2 (With SP1)

What about these two ?

Not vulnerable.

Anyway... the GDISCAN is reporting that the first one is still vunerable.

09-Mar-2004 01:58 5.1.2600.136 646,656 Sxs.dll SP1 (Pre SP1)

C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.136 <-- Vulnerable version

So there are two possibilities:

1. GDISCAN is wrong.

or

2. Microsoft is wrong.

I would think GDISCAN is wrong here, I guess they aren't aware of the
somewhat "strange" version number (5.1.2600.136) that Sxs.dll have in
the WinXP RTM (SP0) update for the GDI+ vulnerability.

Also, be sure to use the last version of Gdiscan.exe:

http://isc.sans.org/gdiscan.php

GDISCAN Result (JPEG Exploit) Which SXS.DLL does windows xp use ???

Skybuck Flying

Rebecca Chen [MSFT]

Torgeir Bakken \(MVP\)

skybuck

Torgeir Bakken \(MVP\)