In-Reply-To: <B7C2C6BA798F3C4DBDD78BEDC1F8AD5705D7D30D@xxxxxxxxxxxxxxxxxxxxxxxx> The machine is a Windows XP SP1 completly patched with Office 2000 SP 3 completly patched. I don't have any kind of imaging programs installed (Photoshop, Picture It, etc) The output from the SANS tool is: Scanning... C:\WINDOWS\$NtServicePackUninstall$\sxs.dll Version: 5.1.2600.0 <-- Vulnerable version C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Version: 5.1.2600.1106 <-- Vulnerable version C:\WINDOWS\ServicePackFiles\i386\sxs.dll Version: 5.1.2600.1106 <-- Vulnerable version C:\WINDOWS\system32\sxs.dll Version: 5.1.2600.1515 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll Version: 5.1.3097.0 <-- Vulnerable version C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll Version: 5.1.3101.0 <-- Vulnerable version C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus.dll Version: 5.1.3102.1360 Scan Complete. Does anybody know what the content of the WinSxS directory under the windows installation path is? albatross >How did you test this (and on what platform), and why do you propose >that the SANS tool is delivering more accurate results than the GDI tool >delivered by Microsoft? > >I tested the SANS tool against a properly patched XP system on Friday >and found it to false positive on many of the locations it said it >wouldn't test on. Additionally, I found it to alert on MS09.dll, on an >XP system. Our understanding from Microsoft is that MS09.DLL only needs >to be updated to be fully compatible with an updated GDIPLUS.DLL in the >system directory, it is not directly vulnerable. > >So, it would be good to know what you found. > >Best, > >Gaby >
