Tuesday, September 28, 2004

Now that this JPEG virus have seen the light of day...

I have become curious about Side-by-Side execution... (which I used to think of as great, but I have been having doubts about this now...)

Because even though I am running XPsp2, which does not contain the GDIPLUS and SXS DLL's that contain the vulnerable code (I not mentioning MS Office's MSO.DLL), I still have older vulnerable versions of GDIPLUS.DLL's in the \WinSxS directories???

So if you have the situation where an application's .manifest file points to one vulnerable ones what happens then? you system as open as a non-SP2 system, you have to rely on the other SP2 mechanisms to block any malicious code? or if someone distributes their own copy of GDIPLUS.DLL there is a version of Crystal Reports that allegedly does this, so hopefully they do not have a .local file and the GDIPLUS in \System32 will be used.

After having a look at Windows rootkits, I feel particularly uneasy about this exploit and the JPEG exploit toolkit which have been released, because once they are married the implications for non-patched systems is enourmous!

Thankfully our anti-virus software kills any jpegs containing the exploit.


Post a Comment

<< Home