Fixing GDI+/JPEG Vulnerability Simplified

This page fills an apparent void of simple instructions for fixing the (MS04-028) GDI+/JPEG vulnerability disclosed in September 2004. It shall be referred to in this document as the Problem (not the "issue", "matter", "feature", or other euphemism; it's a Problem).

Brief Description of the Problem:
"A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in Microsoft Security Bulletin MS04-028 in its own section.

"If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges."

(from Microsoft Security Bulletin MS04-028 Executive Summary)

Essentially this means that if you view an infected .jpeg image using a program which relies upon the unpatched GDI+ module, your machine is at the mercy of whatever malware has been packaged with the infected .jpeg image. The infected file can be renamed to another image extension such as .bmp, .gif, .png, .ico, whatever; it will still be processed by the GDI+ module as a .jpeg and bad things will occur.

Scope of the Problem:
The Problem exists in three general areas:

Windows Office files
Windows System files
non-Windows program files

The Problem is caused by one file named gdiplus.dll which may exist in several different locations and versions on your computer. (There are other related files named sxs.dll, vgx.dll, mso.dll, and wsxs.dll, but they have not been proven to be exploitable and therefore are, at this time, of no concern.)

These files may reside in assorted locations and various versions because the GDI+ (Graphics Device Interface) module is redistributable by third-party vendors.

Determining if and where the Problem exists:
There are currently two primary tools available to determine the existance of the Problem:
(both of the following links open in new windows)

Microsoft GDI+ Detection Tool (gdidettool.exe ~214KB) ( to the download page )
SANS Institute GDI Scan Tool (gdiscan.exe ~7K) ( to the download page, get the GUI version)

Download both of these tools to your computer; make a note of the destination directory.

1a) The MS tool always indicates that you "are running Microsoft software that may contain a security vulnerability" and will give you the option of clicking "Yes" to visit their page called "How to Update Your Computer with the JPEG Processing (GDI+) Security Update" (or you can click "No" to exit the tool without taking further action).

Fig. 1

The MS page above is useful because it provides links to both Microsoft Office Update and Microsoft Windows Update.

You can use the MS tool as a launching point to get to the MS page. The tool has the "advantage" of always opening Internet Explorer to get to the Update pages.

1b) Fix the affected Windows Office files:
If you have Windows Office 2000, Office 2003, or Office XP installed on your computer, use Microsoft Office Update to update any affected Windows Office products.

1c) Fix the affected Windows System files:
Use Microsoft Windows Update to update affected Windows system files.
(NOTE: It is my opinion that XP users who have a good firewall and updated anti-virus software do not need to download SP2 at this time. I would suggest bypassing that download. Also, at the time of this writing [October 15, 2004], several other Windows Security Updates [MS04-029...038] have been released; for the sake of this discussion, deselect all updates except for KB833987 which specifically fixes the GDI+ Problem for the Windows System files.)

2) Fix the affected non-Windows program files:
Having completed the above, it is necessary to determine exactly which other vulnerable files exist and where they reside on your computer. The problem with the MS tool is that it doesn't tell you any specifics about the vulnerable Windows and Office files and it tells you nothing at all about any vulnerable third-party files.

That is where the SANS gdiscan.exe tool comes into play. An excellent (actually, the definitive) tutorial about how to use it and how to interpret the results is reproduced here with the kind permission of the author, Lawrence Abrams.

In essence, the process is as follows:

Run gdiscan.exe to determine:
1. which files are vulnerable
2. the directory path of the vulnerable files
3. to which programs (vendor) do the vulnerable files 'belong'
  (the directory path usually makes this clear)
For now, only concern yourself with the gdiplus.dll files which are noted as:
Version: #.#.#.# <-- Vulnerable and which do not reside in:
- a directory with 'i386' in the pathname
- a directory named \windows\$NtUninstallKB??????$\
(gdiscan.exe may take a few minutes depending upon the number of files on your hard drive.
When it is done, it will say 'Scan Complete')
Try to acquire an updated gdiplus.dll file from the website of the vendor discerned from Step 1.3 above.
If the vendor does not provide an updated file, you will need to:
- download the Platform SDK Redistributable: GDI+ program file ( gdiplus_dnld.exe ~1017KB)
- create a directory called c:\gdiplus\
- run the gdiplus_dnld.exe self-extracting program file
- use the 'Browse' button to point to c:\gdiplus
- extract the file by clicking the 'Unzip' button.
- you will now have an updated gdiplus.dll file in c:\gdiplus\gdiplus.dll
For each of the files in Steps 1.1 - 1.2, rename it from gdiplus.dll to gdiplus.orig.dll
(this creates a backup of the original file.)
Copy the appropriate gdiplus.dll file obtained in Step 2 or Step 3 into the appropriate directory from Step 1.2
After you have replaced all the offending gdiplus.dll files, re-run gdiscan.exe.
There should now be no gdiplus.dll files listed as Vulnerable.
For each of the vendors which did not provide replacement/updated gdiplus.dll files, be certain to run that program and put it through its paces, particularly anything which may have to do with displaying a .jpeg image.
If a particular vendor's program is now broken, restore the original gdiplus.dll file and really lean on the vendor to provide a patched replacement gdiplus.dll file.

For reference purposes, the table of gdiplus.dll version numbers and their vulnerability status is reproduced here. The information is taken from the Frequently Asked Questions section of Microsoft Security Bulletin MS04-028.

Version of Gdiplus.dll file	State	General notes
All versions prior to 5.1.3102.1355	Vulnerable	Includes Windows XP, Windows XP Service Pack 1, and most third party applications that redistribute this file.
5.1.3102.1355	Not vulnerable	Provided as part of security bulletin MS04-028.
5.1.3102.1360	Not vulnerable	Provided as part of security bulletin MS04-028.
Versions 5.1.3102.2000 through 5.1.3102.2179	Not Supported	These versions were provided as part of early Windows XP Service Pack 2 Beta releases are not supported. Customers should upgrade to the released version of Windows XP Service Pack 2. These versions of the Gdiplus.dll file were not generally released to the public.
5.1.3102.2180	Not Vulnerable	Shipped with Windows XP Service Pack 2.
5.2.3790.0	Vulnerable	Shipped with Windows Server 2003.
5.2.3790.136	Not Vulnerable	Provided as part of security bulletin MS04-028.
6.0.3260.0	Vulnerable	Shipped with Office 2003, Visio 2003, and Project 2003.
Versions 6.0.3264.0 and later.	Not Vulnerable	Provided as part of security bulletin MS04-028.

Go to GDI Scan Tutorial
Go to GDI+/JPEG Vulnerability - Links
Return to Mentors' page
Return to the LAFN Home Page

This page last updated:
15 October 2004 0645 PDT
jtm