Not in code

Googling Make the best of what we offer you and you will suffer less than you deserve (a quote from the moview Papillon) brings up this post as the first result: IEBlog: Standards and CSS in IE.

Amusing.

I recently ranted about the shocking GDIplus.dll JPEG processing vulnerability on this blog. Since then Microsoft released a tool that scans for vulnerable versions of this dll as part of windows update. Unfortunately this tool only results in giving people a false sense of security because it is incomplete.

The good people at sans.org have released their own tool which appears to be much better than Microsoft’s. I recommend running this tool at least once on your Windows PC and then each time you install any application that *may* install its own copy of the dll (i.e. potentially *any* application that does JPEG processing). Of course it’s worth making sure that you have installed all vendor updates before you run the tool as they may well fix the vulnerability. Also, please read the sans.org web page carefully before your run their tool as there are some instances where it is “OK” if a vulnerable instance of the dll is found on your computer.

Additionally for users of Macromedia’s MX line of products, they recently released this security bulletin that states that their products are not affected by the vulnerability.

Thanks goes to my ever dependable colleague Rob for showing me the sans.org tool.

A quote from the page on microsofts site describing the recent JPEG processing vulnerability in GDI+.

Could I still be vulnerable even after I have installed all required security updates?
Yes. …(long list of reasons why)…

Please find me a tall building to jump from…

Will blog some more about this when (and if) I find an effective way to patch multiple machines + programs without shelling out big $$$