Hopefully this is old news to everyone, but just in case it isn't...
The JPEG GDI+ buffer overrun vulnerability affects multiple software applications which need to be patch individually. Visual Studio .NET 2002 and 2003 as well as the .NET Framework 1.0 SP2 all need patching following the MS04-028 security bulletin. Here are the most common patches that a developer like you might have installed:
Don’t forget desktop applications like Office and Visio are affected too. Check out this link for a complete list of affected software, there may be more you’ve missed: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
I shall write more on the topic of why the GDI+ DLL patching has been so tricky in the near future...
Until then... happy patching!
I have always been astounded by the shear volume of content that is available on MSDN. Sadly, like security, the more of it there is, the harder it is to use! Search engines can be a great help in finding what you need, but not so good a finding updated or new information.
So, the MSDN team in Reading, UK, have come up with MSDN Connection. Lindsey Langedijk (she’ll probably kill me for mentioning her name in public ;-)) has done a great job in driving the creation of a personalised view of content, sliced and diced by the topics you select. But there’s more! It is now also possible to subscribe to an RSS feed of your selected content. Very cool and only the beginning. Sign-up today and keep coming back to MSDN UK for more great innovations in the months to come…
http://www.microsoft.com/uk/msdn/preferences.aspx
Footnote:
Now, I know some of you may be a little put-off because this service uses .NET Passport to allow you to save your preferences. .NET Passport really is only an Authentication Service and all your personal and private data is not shared or used for anything you don’t choose, so if you haven’t got a Passport, then please may I encourage you to take this opportunity to sign-up. When you do sign up, always make sure that the box marked ‘let Microsoft use this email address’ (or works to that effect) is checked because if you uncheck it, we will be obliged to remove you from any other mailing lists you may already be on at Microsoft, to comply with the UK’s Data Protection Act
There is only just over a month to go before I will be speaking at the Technical Summit at the Wembley Conference Centre, London. The day will begin with Rafal Lukawiecki Director of Project Botticelli Ltd, talking about Threat Modelling for ssecure design, then I will have a session on Security tips for developers. After lunch Rafal is back to talk about the features of Windows XP SP2 that developers need to be aware of and how to take advantage of them. After that practical lessons from the frontline with the Government Gateway will describe the experiences of deploying Secure Web Services in the real world. To finish the day, our very own Steve Ballmer will address the audience. Oh, I nearly forgot, that throughout the day we will be trying a first for these sort of events - chalk and talk sessions where a handful of attendees will be able to get a little more interactive on the topics under discussion. Oh, yeah, there is an ITPro (security infrastructure) track as well ;-)
To register, click here and but hurry – spaces are limited!
There is now a new version of the Microsoft Security Baseline Analyser updated. MBSA is a tool that can be used to validate the configuration and patch status of computers on your network. It is a BASELINE tool i.e. it gives you a place to start with your security configuration.
New improvements in MBSA V1.2.1 include:
• Support for Windows XP Service Pack 2 security enhancements
• Clear guidance for locating updates and necessary actions
• Prioritize results more easily by showing summary counts for each score
Localization:
• MBSA releases are available for German, Japanese, and French.
• The mssecure.xml file will be localized to these four languages and will be automatically downloaded and used by the tool when a German, Japanese, or French machine is scanned once they are available in the Microsoft Download Center.
Additional Product Support:
• MBSA can scan for security updates in the following products
• Microsoft Office (local scans only; see list of products)
• Exchange Server 2003
• MDAC 2.5, 2.6, 2.7, and 2.8
• Microsoft Virtual Machine
• MSXML 2.5, 2.6, 3.0, and 4.0
• BizTalk Server 2000, 2002, and 2004
• Commerce Server 2000 and 2002
• Content Management Server 2001 and 2002
• Host Integration Server 2000, 2004, and SNA Server 4.0
Alternate File Version Support (allows multiple sets of file details to be checked in security updates scan)
Additional Configuration Checks:
• Internet Connection Firewall configuration check
• Automatic Updates configuration check
• Internet Explorer zone configuration checks (custom Internet Explorer zone interpretation, Internet Explorer Enhanced Security Configuration checks for Windows Server 2003)
• MBSA tool version check (for new MBSA releases)
Additional MBSA CLI Switches (-unicode, -nvc)
You can get more details and download from: http://www.microsoft.com/technet/security/tools/mbsahome.mspx