Dealing with Microsoft Corp.s pernicious GDI+ JPEG buffer overrun condition (Microsoft Security Bulletin MS04-28) can be daunting for enterprise administrators, eWEEK Labs has found. Due to the relative ease with which exploits based on this vulnerability can evade existing security solutions distributed throughout the network, we recommend that administrators waste no time in deploying the necessary fixes.
Early exploits based on this vulnerability are already circling the Internet. These exploits will cause infected machines to automatically download and install Trojan horse applications or open a command shell accessible to remote hosts.
Unfortunately, the first generation of tools designed to detect the vulnerable versions of the GDI+ libraries used to render JPEG images are a sorry lot indeed, and the number of vulnerable applications is staggering.
Microsofts first crack at a GDI+ Detection Tool was designed to be run individually on a system-by-system basis, and it scans only for a static list of Microsoft applications. Scans report definite or possible vulnerabilities and point users to the Windows and Office Updates sites—without actually specifying which applications are vulnerable. The tool does not scan for libraries installed by third-party applications.
Likewise, Microsofts Systems Management Server and its underlying MBSA (Microsoft Baseline Security Analyzer) Version 1.2.1 detection engine—while offering remote detection capabilities—still offer the bare minimum of information and only for Microsoft applications.
Other GDI+ detection tools available on the Web, such as those from The SANS Institutes Internet Storm Center, are more robust in detecting and reporting all related GDI+ libraries located on a given drive, with relevant version and vulnerability status. Yet these tools are not scalable across hundreds or thousands of systems.
The SANS GDI Scan tool is available with a graphical interface or in a command-line version that may be integrated into customized detection scripts, but combing through the resultant plethora of log files is time-consuming when attempting to scan hundreds or thousands of machines.
On Oct. 12, Microsoft finally released an enterprise-ready detection tool; Microsoft Article ID KB 886988 introduced a command-line-based scanner that can be executed from log-in or startup scripts (support.microsoft.com/kb/886988).
In preliminary tests, we found that the command-line scanner effectively identified missing patches for Microsoft applications. Administrators gain a bounty of resulting log files, but the tools real power comes from its ability to also deliver necessary patches.
It took some effort to build a share with the proper folder structure that included all the necessary patches, but once that was done, we found that deployment worked without a hitch for operating system, Internet Explorer and Office patches alike. Unfortunately, this tool still does not address third-party applications.
Third-party patching solutions such as PatchLink Corp.s PatchLink Update or BigFix Inc.s Enterprise Suite are better still at detecting Microsofts vulnerabilities. However, vulnerable third-party applications are more complicated to detect. Even if third-party applications install their own vulnerable libraries, they may or may not use the libraries to render images. Each application vendor should be contacted directly for relevant data.
To find possibly vulnerable third-party applications, we recommend starting by using SANS GDI Scan on freshly imaged hosts. This will provide a base-line picture of which potentially vulnerable applications are regularly deployed and which vendors must be consulted for more data.
Vulnerability scanners such as Qualys Inc.s QualysGuard are also somewhat effective at detecting vulnerable third-party applications deployed on active systems. Vulnerability scanner vendors regularly update detection signatures to reflect the latest known vulnerable third-party applications, so regular scanning with the latest signatures will continue to cull vulnerable implementations.
Agents for various solutions can be effective for detecting GDI+ libraries on certain active systems. The PatchLink Update agent or InfoExpress Inc.s CyberGatekeeper LAN agent are examples of host-based agents that can be configured to seek out GDI+ libraries and report version information back to a central console.
In addition, anti-virus solutions offer a measure of security against attacks. Anti-virus software vendors quickly generate heuristic rules to find exploited images created with early versions of exploit tool kits found on the Web. However, more-sophisticated future exploits will undoubtedly elude these heuristic detection engines, so these programs should not be used to avoid prompt patching.
Next page: Pegging the JPEG vulnerability.
Research Assistant
