IanG on Tap

Ian Griffiths in Weblog Form (RSS 2.0)

Blog Navigation

August (2014)

(1 item)

July (2014)

(5 items)

April (2014)

(1 item)

March (2014)

(1 item)

January (2014)

(2 items)

November (2013)

(2 items)

July (2013)

(4 items)

April (2013)

(1 item)

February (2013)

(6 items)

September (2011)

(2 items)

November (2010)

(4 items)

September (2010)

(1 item)

August (2010)

(4 items)

July (2010)

(2 items)

September (2009)

(1 item)

June (2009)

(1 item)

April (2009)

(1 item)

November (2008)

(1 item)

October (2008)

(1 item)

September (2008)

(1 item)

July (2008)

(1 item)

June (2008)

(1 item)

May (2008)

(2 items)

April (2008)

(2 items)

March (2008)

(5 items)

January (2008)

(3 items)

December (2007)

(1 item)

November (2007)

(1 item)

October (2007)

(1 item)

September (2007)

(3 items)

August (2007)

(1 item)

July (2007)

(1 item)

June (2007)

(2 items)

May (2007)

(8 items)

April (2007)

(2 items)

March (2007)

(7 items)

February (2007)

(2 items)

January (2007)

(2 items)

November (2006)

(1 item)

October (2006)

(2 items)

September (2006)

(1 item)

June (2006)

(2 items)

May (2006)

(4 items)

April (2006)

(1 item)

March (2006)

(5 items)

January (2006)

(1 item)

December (2005)

(3 items)

November (2005)

(2 items)

October (2005)

(2 items)

September (2005)

(8 items)

August (2005)

(7 items)

June (2005)

(3 items)

May (2005)

(7 items)

April (2005)

(6 items)

March (2005)

(1 item)

February (2005)

(2 items)

January (2005)

(5 items)

December (2004)

(5 items)

November (2004)

(7 items)

October (2004)

(3 items)

September (2004)

(7 items)

August (2004)

(16 items)

July (2004)

(10 items)

June (2004)

(27 items)

May (2004)

(15 items)

April (2004)

(15 items)

March (2004)

(13 items)

February (2004)

(16 items)

January (2004)

(15 items)

Blog Home

RSS 2.0

Writing

Programming C# 5.0

Programming WPF

Other Sites

Interact Software

GDI+ Patch Considered Patchy

Sunday 3 October, 2004, 10:48 PM

I was glad to see that I'm not the only one having trouble applying the GDI+ patch.

I've downloaded the GDI+ detection tool that scans your system telling you whether you have anything not covered by Windows Update that has installed the GDI+ libraries, and is still using an unpatched version. I run it and it tells me this:

The software tool has detected that you are running Microsoft software that may contain a security vulnerability. There are security updates available from Microsoft that fix this security vulnerability.

Note the unhelpful absence of any clue as to which piece of software might be causing the problem.

It does offer this ray of hope:

Would you like to learn more about the security vulnerability as well as the necessary security updates that address it? (Note that if you click No this tool will not prompt you again.)

And if I click on Yes, it takes me here. That page tells me to check the Office Update site. I already have, and I'm patched to the hilt there, thanks. Step 2 I am to ignore, because that is "For Users of Windows Versions Other Than Windows XP or Windows Server 2003" and I'm running XP sp2.

I'm guessing Step 3 is mislabelled because it says "For Windows 2000 Users" but it tells you to visit Windows Update. I would have thought visiting Windows Update was good advice no matter what version of Windows you're running.

I'm fully up to date so far. Then it helpfully suggests that I might like to try running the very tool that took me to this page... Obviously I've already done that. But I do it again, and it tells me exactly what it did last time - apparently I still have a problem, and apparently it's not prepared to tell me how it knows that - I have to keep guessing.

Now although it appears not to be linked to from the page the tool takes you too, I happen to know there's a more detailed page about this issue here. This lists a whole load of products that use GDI+ that are not listed on the page the detection tool takes you to.

But I've run every single patch listed there for the programs I have installed. And still this tool is telling me I have Microsoft software installed that is vulnerable.

Why can't it just tell me which software? Or failing that, at least tell me how it drew that conclusion so I can work out what to do next?

The worrying thing about this is that I'm supposed to know a thing or two about computers and I can't work out what's going on - am I patched and the tool is wrong? Am I missing some patches? So what are the odds of someone who isn't computer literate getting their system patched correctly?

On the plus side, all the programs that are likely to display JPEGs from the internet are patched, so in practice I don't believe I'm at as much risk as I would be if I hadn't run any patches at all. But even so, this is pretty poor.

Copyright © 2002-2013, Interact Software Ltd. Content by Ian Griffiths. Please direct all Web site inquiries to webmaster@interact-sw.co.uk