GDI+ Tool in Oct. Security Updates

Updates for seven critical and three important vulnerabilities, as well as additional information and a new vulnerability-detection and update installation tool for the GDI+ vulnerability, were included in Microsoft’s Oct. 2004 monthly security posting. Administrators need to analyze the monthly posting carefully to determine the full extent of an organization’s risk, because once again the monthly update includes cumulative updates for both Windows and Internet Explorer (IE) that patch multiple problems. Microsoft also acknowledged a newly reported vulnerability in ASP.NET for which a workaround is available. (For a chart summarizing these updates, see “Oct. 2004 Update Summary“.)

New Tool and Guidance for GDI+

Perhaps as important as the information about new updates is the release of an enterprise detection and update tool for the GDI+ vulnerability discovered in Sept. 2004. The GDI+ vulnerability affected many Microsoft and third-party products that redistributed the vulnerable component, making it particularly difficult to find all the instances that needed patching. (For more information on the GDI+ Vulnerability, see “Graphics Files Pose Threat” on page 17 of the Oct. 2004 Update.)