First, you should download a newer version of the SANS gdi tool. i had similar output to yours but mine was a more verbose with it's descriptions. See below: Scanning Drive C:... C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only) C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Version: 5.1.2600.1106 <-- Possibly vulnerable (Backup for uninstall purposes) C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\as ms\10\msft\windows\gdiplus\gdiplus.dll Version: 5.1.3102.2180 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\sx s.dll Version: 5.1.2600.2180 C:\WINDOWS\SoftwareDistribution\Download\6ca7b3a8efd5a9b6f87fff395a2eb989\vg x.dll Version: 6.0.2900.2180 C:\WINDOWS\system32\dllcache\sxs.dll Version: 5.1.2600.1515 C:\WINDOWS\system32\dllcache\vgx.dll Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only) C:\WINDOWS\system32\sxs.dll Version: 5.1.2600.1515 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-w w_8d353f13\GdiPlus.dll Version: 5.1.3097.0 <-- Possibly vulnerable (Windows Side-By-Side DLL) C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x- ww_712befd8\GdiPlus.dll Version: 5.1.3101.0 <-- Possibly vulnerable (Windows Side-By-Side DLL) Scan Complete. The fact that it says, for example, (Win2K SP2 and SP3 w/IE6 SP1 only) next to several make me feel secure. I'm running XP Pro SP2. I think this is because the version number is all that the gdi scan is looking. So, it gives a little more feedback so the user knows if they're still vulnerable or not. As per your second question... COM and Shared DLL Isolation Support Windows XP has a new folder under Windows called "WinSxS" (Windows Side-by-Side). This area is used to store versions of Windows XP components that are built to reduce configuration problems with Dynamic Link Libraries (DLL) (DLL hell). Multiple versions of components are stored in this folder. Windows XP allows Win32® API components and applications to use the exact version of Microsoft components with which they are tested and not be impacted by other application or operating system updates. It does this by relying on XML files that contain metadata about application configuration such as COM classes, interfaces, and type libraries.[1] Hope that helps. [1] http://www.microsoft.com/technet/prodtechnol/winxppro/evaluate/xptechov.mspx -----Original Message----- From: albatross@xxxxxx [mailto:albatross@xxxxxx] Sent: Monday, September 27, 2004 1:46 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Re: Microsoft's GDI Detetection Tool faults In-Reply-To: <B7C2C6BA798F3C4DBDD78BEDC1F8AD5705D7D30D@xxxxxxxxxxxxxxxxxxxxxxxx> The machine is a Windows XP SP1 completly patched with Office 2000 SP 3 completly patched. I don't have any kind of imaging programs installed (Photoshop, Picture It, etc) The output from the SANS tool is: Scanning... C:\WINDOWS\$NtServicePackUninstall$\sxs.dll Version: 5.1.2600.0 <-- Vulnerable version C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Version: 5.1.2600.1106 <-- Vulnerable version C:\WINDOWS\ServicePackFiles\i386\sxs.dll Version: 5.1.2600.1106 <-- Vulnerable version C:\WINDOWS\system32\sxs.dll Version: 5.1.2600.1515 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.0.0_x-w w_8d353f13\GdiPlus.dll Version: 5.1.3097.0 <-- Vulnerable version C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.10.0_x- ww_712befd8\GdiPlus.dll Version: 5.1.3101.0 <-- Vulnerable version C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.13 60_x-ww_24a2ed47\GdiPlus.dll Version: 5.1.3102.1360 Scan Complete. Does anybody know what the content of the WinSxS directory under the windows installation path is? albatross >How did you test this (and on what platform), and why do you propose >that the SANS tool is delivering more accurate results than the GDI tool >delivered by Microsoft? > >I tested the SANS tool against a properly patched XP system on Friday >and found it to false positive on many of the locations it said it >wouldn't test on. Additionally, I found it to alert on MS09.dll, on an >XP system. Our understanding from Microsoft is that MS09.DLL only needs >to be updated to be fully compatible with an updated GDIPLUS.DLL in the >system directory, it is not directly vulnerable. > >So, it would be good to know what you found. > >Best, > >Gaby >