All About GDI+ This page contains information about a newly-discovered, privately reported vulnerability in GDI+. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. This page contains information and links for developers who need to better understand this issue. Articles GDI+ 1.0 Security Update Overview Find out about the security fixes to GDI+. Included is an outline of the buffer overrun vulnerability, and information to help you identify applications at risk, APIs that expose risk, and existing versions of GDI+ installed on your system. KB Article: How to obtain and use the MS04-028 Enterprise Update Scanning Tool Microsoft has released the MS04-028 Enterprise Update Scanning Tool (MS04-028_Updatescan_886988.exe). IT professionals can use the MS04-028_Updatescan_886988.exe tool to scan computers for the required MS04-028 security updates and to apply any missing updates from a local area network (LAN) share. Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) September 2004 Security Update for JPEG Processing (GDI+) The GDI+ security update for September 2004 addresses newly discovered issues in JPEG processing technology. This issue affects software that supports this image format, including some versions of Microsoft Windows, Microsoft Office, and Microsoft developer tools. FAQ Microsoft recently issued an update to address the issue described in MS04-028. Customers should read the security bulletin and update their machines accordingly. Some questions have been raised in the community around side by side technology used in windows in this context. This FAQ attempts to answer those questions and is a recommended read for administrators, and users curious to know the details. How To Build and Service Isolated Applications and Side-by-Side Assemblies for Windows XP What is Side by Side? The capability to install and run multiple versions of a component simultaneously on a machine is called side by side, and has always been possible in Windows operating systems in the form of privately deployed DLLs and other ad hoc mechanisms. In Windows XP, formal side by side infrastructure was introduced to help create, centrally deploy and centrally service side by side components on a machine. More information on this can be found in the article How To Build and Service Isolated Applications and Side-by-Side Assemblies for Windows XP. What is central servicing? The ability to install an updated side by side component in one central place on the machine with a directive for the system to automatically redirect all applications that were using the older version to use this version is called central servicing. Which OSes support central servicing work? Windows XP and above. What is the issue? The issue is that MS04-28 fixes a buffer overrun in gdiplus.dll. This DLL was shipped as a Side by Side assembly on Windows XP and above. Applications are known to have shipped a copy of this DLL in their application directories. So there is some confusion as to how to service this DLL, example, do we need to find and update all these copies? Can we have a central fix and instruct the system to use the newer central copy? Does the update scan my hard disk and remove or replace all older versions in non-Microsoft applications ? No. Is it not a concern that the older versions may be left behind in some application directories? On XP and above, the central update directs the system to ignore the older copies if present in application directories, unless the application author and/or the system administrator have taken explicit steps to bypass the central update. How can the application or system administrator bypass the central update? This is usually done by authoring a file (application.exe.config) with instructions to do so, and placing it in the application directory. More details on this can be found in KB Article 835322. Microsoft recommends that application authors follow all guidelines in safe use of side by side components and not ship their applications with instructions to bypass central updates. Microsoft recommends that administrators use the bypass feature with caution, and not use it at all in the cases of critical security updates. Can I tell if an application I have installed is vulnerable? The recommendation is to contact the application vendor and check if they have an update and to install those updates. If you find an older version of the side by side component in the application directory (see details on the bulletin to get name and version numbers of the files to look for), then there is a very high chance you will need an update and should contact your application vendor. If you are on XP or above, and you find an older version of the component in the application, some of these signs can alert you to an attempt to bypass the central update and you must contact the application vendor for an update or your system administrator. If a file called .local is in your application directory, or a file that ends with an extension, .config is present and it contains a directive <publisherPolicy apply="no"/>