You may have noticed that the MS08-052 bulletin has a workaround that’s a little different than you’re probably used to seeing in our bulletins. That’s because gdiplus.dll, on all OSes after Windows 2000, is stored in something called the Windows Side By Side Cache (WinSxS).
The purpose of the WinSxS cache is to keep old versions of assemblies around in case an application requires a specific version, and doesn’t want newer versions. It’s implemented as a folder under %windir% called winsxs. In that folder, you’ll find a subfolder for each version of each assembly that’s managed by the WinSxS cache, with a copy of the assembly in each folder. When an application tries to load a DLL that’s managed by the WinSxS cache, Windows checks to see if that application has a manifest specifying which version of the DLL it wants. If that information doesn’t exist, the application gets the default version of that DLL.
You probably have many versions of gdilplus.dll on your system right now. That’s why our workaround included a step to restrict access to all files named gdiplus.dll in %windir%\winsxs
for /F "tokens=*" %G IN ('dir /b /s %windir%\winsxs\gdiplus.dll') DO cacls %G /E /R everyone
That way, no matter what version an application requests, it will be unable to load the DLL, and therefore be isolated from the vulnerable code.
After you install the update, clearly you don’t want any application to be able to load one of the old versions that will still be present in the WinSxS cache. That’s why the update includes a WinSxS policy rule that instructs Windows to ignore requests for versions of gdiplus.dll older than the updated one, and to supply the updated one to those applications instead. This is a feature of the WinSxS cache designed for exactly this sort of situation.
- Kevin Brown, SVRD Blogger
*Postings are provided "AS IS" with no warranties, and confers no rights.*