Results 1 to 9 of 9
  1. #1
    5 Star Lounger
    Join Date
    Mar 2001
    Location
    Pickering, Ontario
    Posts
    642
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Office 2003 Security Update KB838905 (Office 2003 SP1)

    On September 14, 2004, Microsoft issued Security Update KB838905 that addresses a problem with the graphics interpreter code. The file being updated is GDIPLUS.DLL and should be version 6.0.3264.0.

    A check of my environment indicates that the most recent version does exist in my Office folder and thus I do not have to download and install the update for Office.

    However, the GDIPLUS.DLL also exists in many other folders and a check of their version numbers indicates that they are all older than 6.0.3264.0. The questions are... 1) would it be safe to just copy the newer version into each of the remaining folders or 2) should I leave well enough alone.

    I have attached a snapshot of the folder applications where the various versions were found... which also includes the new v9 of Paint Shop Pro.

    All suggestions are welcomed...

    Cheers, Bob
    Attached Images Attached Images
    Regards,
    Bob

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Office 2003 Security Update KB838905 (Office 2

    It's possible that it is only a security problem in the context of Office, but it could just be a matter of time before some exploit code is developed that "finds" the other files. Hard to say.

    If you decide to copy the new file into the other folders, you probbably should rename the older versions (e.g., to .DLX) and keep them around in case the new version is incompatible with your applications. Or you could contact each of the publishers of the other programs for their recommendations.

  3. #3
    5 Star Lounger
    Join Date
    Mar 2001
    Location
    Pickering, Ontario
    Posts
    642
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Office 2003 Security Update KB838905 (Office 2

    Jefferson,

    I'll take your advice and contact the two suppliers, JASC for the Paint Shop products and TechSmith for SnagIt.

    My search also showed Microsoft Works but I have never owned or installed any of the Work apps. Don't really know where that one came from so I'll just zip up the few files in that folder and squirrel it away for awhile to see what happens.

    The remaining folders containing GDIPLUS.DLL are related to Microsoft. Maybe I'll thrown them a line and see how long it takes them to respond.

    Thanks again,

    Bob
    Regards,
    Bob

  4. #4
    Platinum Lounger
    Join Date
    Jan 2001
    Posts
    3,788
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Office 2003 Security Update KB838905 (Office 2

    Hi Bob

    For more details on this issue see:
    Microsoft GDI+ Detection Tool
    How to Update Your Computer with the JPEG Processing (GDI+) Security Update
    Microsoft Security Bulletin MS04-028 - this includes list of Microsoft software that is affected.
    Unfortunately these articles do not cover non-Microsoft programs.

    This issue is also covered in the latest issue of Woody's Office Watch (link not yet available)

  5. #5
    Platinum Lounger
    Join Date
    Jan 2001
    Posts
    3,788
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Office 2003 Security Update KB838905 (Office 2

    I have checked further and within the security bulletin this is what MS says about third-party software.
    <hr>You may have installed a third-party program that has installed the affected component. If the Gdiplus.dll file is installed on your system, you may have to install an update for that program. It is possible that not every program that installs this file is vulnerable to this issue because it may not use the Gdiplus.dll file to process JPEG images. However, only the manufacturer of that program can make that determination. This could include third party applications that were developed using Visual Studio .NET 2002, Visual Studio .NET 2003, or the Microsoft .NET Framework 1.0 SDK Service Pack 2. Typically, even if the affected component is installed on a system that is running Windows XP or Windows Server 2003, the program still uses the operating system version of the affected component.<hr>

  6. #6
    5 Star Lounger
    Join Date
    Mar 2001
    Location
    Pickering, Ontario
    Posts
    642
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Office 2003 Security Update KB838905 (Office 2

    Tony,

    WRT your previous note, I did download the GDI tool and ran it. It indicated that I "may" have a problem and to visit the Windows and Office update sites. This was fruitless as I had already performed those tasks and the update sites indicated my environment was indeed current. I ran an update check again as was deemed to be current. Running it again this morning brought the same result.

    I had visited the other two links and could not find an appropriate answer.

    WRT your finding info about third party software... that was more in line with what I was trying to get. Last night I sent notes to both JASC and TechSmith support asking about the need to use an updated GPIPLUS.DLL file. As of this writing I have not received a reply. I will post their answers when received.

    Thanks again for your input.

    Edited to add: I did receive the current version of Woody's Office Watch yesterday and it basically covered what was in the MS KB stuff with a recommendation to install Win XP SP2 and Office 2003 SP1. I had installed Office 2003 SP1 shortly after it was released and that is why the current version of GDIPLUS.DLL was in my system. I also had installed Win XP SP2 on August 11, 2004. So, all is right with the world regarding those updates.

    Cheers, Bob
    Regards,
    Bob

  7. #7
    5 Star Lounger
    Join Date
    Mar 2001
    Location
    Pickering, Ontario
    Posts
    642
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Office 2003 Security Update KB838905 (Office 2

    Update concerning GDIPLUS.DLL in TechSmith's SnagIt.

    Heard from Mark Brembeck, Technical Support Manager, TechSmith yesterday who stated:

    "Snagit does not use GDIPLUS.DLL to open JPG files, so technically SnagIt should not be at risk. We plan to update to the new GDIPLUS.DLL in the next version of SnagIt. While we have not tested it yet, you could try renaming the current DLL to GDIPLUS.DLL.BAK and drop the updated one into SnagIt's directory."

    I performed the task as suggested by Jefferson and Mark Brembeck. So far, all seems to be working without a hitch.

    At this point I still haven't heard from JASC regarding GDIPLUS.DLL's use in Paint Shop Pro and Paint Shop Photo Album.

    As stated, just an update.

    Edited 2004-09-20: Just had SnagIt crash when playing with a file. Went back to the SnagIt provided GDIPLUS.DLL and all is well. I'll wait for TechSmith to provide an update to SnagIt.
    Regards,
    Bob

  8. #8
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: Office 2003 Security Update KB838905 (Office 2003 SP1)

    I moved this whole thread to the Spyware - Antivirus - Safe Computing forum, from the Office forum, because this security issue is not specific to Microsoft Office.

    StuartR

  9. #9
    Platinum Lounger
    Join Date
    Jan 2001
    Posts
    3,788
    Thanks
    0
    Thanked 1 Time in 1 Post

    Re: Office 2003 Security Update KB838905 (Office 2

    JASC have issued a statement regarding the GDI vulnerability. This will be of interest to users of Paint Shop Pro 9.0, Paint Shop Pro Studio 1.0, Paint Shop Photo Album 5.0 and 5.01. The article states that although our programs include a vulnerable version of gdiplus.dll they don't utilize gdiplus.dll in a manner that is exploitable according to Microsoft.
    Full details can be found in the JASC forum

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •