Board index » delphi » XP SP2 and/or .Net SP1 now compulsory...

XP SP2 and/or .Net SP1 now compulsory...


2004-09-30 02:12:56 PM
delphi98
The GDI+ Jpeg exploit didn't take long to become a virus:
it.slashdot.org/article.pl
In the comments are links to a gzipped file that contains the
offensize Jpeg file (8 kB only! you won't even see it downloading
if it is in a malicious mail or webpage).
Apparently it triggers bad things in some Linux apps too (if not
the intended virus behaviour), so I will personnally be testing it
with TJpegImage and a few others in a Virtual PC...
Other consequence is that it makes installing XP SP2 and/or .Net SP1
(+ assorted office patches) somewhat compulsory, time to really speed up
fixing the Delphi 8 / .Net SP1 issue...
Eric
 
 

Re:XP SP2 and/or .Net SP1 now compulsory...

On Thu, 30 Sep 2004 11:10:01 +0200, Eric Grange writes:
Quote
without having to install SP2 or any large patch
Have you seen this?
www.microsoft.com/technet/security/bulletin/ms04-028.mspx
 

Re:XP SP2 and/or .Net SP1 now compulsory...

Eric Grange writes:
Quote
The GDI+ Jpeg exploit didn't take long to become a virus:

it.slashdot.org/article.pl

In the comments are links to a gzipped file that contains the
offensize Jpeg file (8 kB only! you won't even see it downloading
if it is in a malicious mail or webpage).
Apparently it triggers bad things in some Linux apps too (if not
the intended virus behaviour), so I will personnally be testing it
with TJpegImage and a few others in a Virtual PC...

Other consequence is that it makes installing XP SP2 and/or .Net SP1
(+ assorted office patches) somewhat compulsory, time to really speed up
fixing the Delphi 8 / .Net SP1 issue...

Eric
>Other consequence is that it makes installing XP SP2 ... somewhat
compulsory
Why? I have installed the Jpeg exploit critical update from Microsoft
and I have not installed SP2.
Steve
 

Re:XP SP2 and/or .Net SP1 now compulsory...

Eric Grange writes:
Quote
Other consequence is that it makes installing XP SP2 and/or .Net SP1
(+ assorted office patches) somewhat compulsory, time to really speed
up fixing the Delphi 8 / .Net SP1 issue...
[snip]
Hmm, took em 2 - 3 weeks to analyze the issue.
Now they're working on the patch to fix the issue, my guess another 2-3
weeks. Then at least 2 weeks of Q&A and regression testing.
My estimate is first half of November at the earliest.
 

Re:XP SP2 and/or .Net SP1 now compulsory...

Quote
My estimate is first half of November at the earliest.
Sightings of 2 variants of the jpeg virus have already been
reported on AOL Instant Messenger (you get a message with a link,
if you click it goes to a webpage with the offending jpeg),
not sure if you can afford not to update with a vulnerability
of this magnitude...
Maybe MS will issue a mini-patch that fixes only GDI+ Jpeg code,
without having to install SP2 or any large patch, otherwise this
could means dozens of millions of infected machines before the
year ends.
Eric
 

Re:XP SP2 and/or .Net SP1 now compulsory...

TJpegImage gives an "Error #52", so no worry on this front :)
Eric
 

Re:XP SP2 and/or .Net SP1 now compulsory...

Thomas Edison writes:
Quote
On Thu, 30 Sep 2004 11:10:01 +0200, Eric Grange writes:


>without having to install SP2 or any large patch


Have you seen this?
www.microsoft.com/technet/security/bulletin/ms04-028.mspx
Exactly what I was saying!
 

Re:XP SP2 and/or .Net SP1 now compulsory...

Eric Grange writes:
[snip]
Quote
Sightings of 2 variants of the jpeg virus have already been
[Snip]
Eric,
My excuses for not being clear enough on what i meant.
What i meant is that I am not expecting a patch from Borland before
November.
FYI: Microsoft already released patches for the GDI+ bugs 'some time'
ago.
I'm not aware of the requirements, i just installed them and i
definitly dont have .NET 1.1 SP1 installed. Nor do i have XP SP2..
 

Re:XP SP2 and/or .Net SP1 now compulsory...

Quote
FYI: Microsoft already released patches for the GDI+ bugs 'some time' ago.
But aren't these the admin patches you find in the tech sections
of the MS site, like:
www.microsoft.com/technet/security/bulletin/ms04-028.mspx
On 'Windows Update', last time I checked you could only find
the GDI+ detection tool which merely listed what applications
would have to be updated on your machine (but doesn't do the updates,
AFAIK), which means that "regular" users are presented with
the long way:
www.microsoft.com/security/bulletins/200409_jpeg.mspx
So rephrased worry is about MS offering the small fixes
via WindowsUpdate, so everyone can get them in a timely fashion.
Eric