Does OE have the GDIplus security flaw?

Author Message
Guy Burkill 09/20/2004 09:00 am
I`m contacting you because I`m very worried about the major security flaw recently found in GDIplus, allowing a PC to be taken over by viewing a malformed JPEG file.

Last week Windows Update published a tool that checked for MS products that have the flaw. See http://www.microsoft.com/security/bulletins/200409_jpeg_tool.mspx

But the MS tool says nothing about 3rd party products. Does this major flaw affect Offline Exlorer pro ? I`d really be grateful for your reassurance. (And as a jpeg viewing tool, you should explain the position on your website: FAQ?).

Thanks!
gb
Oleg Chernavin 09/20/2004 09:23 am
Thank you for asking!

Yes, Offline Explorer could be affected by this flaw, because its Internal Browser is in fact an embedded window of MS Internet Explorer. If MS IE is not patched, viewing JPEG files may be a problem (however there are still no JPEG viruses found).

Anyway, it is recommended to apply the JPEG issue patch from Microsoft, which will cure the problem. There are no other issues related to Offline Explorer and JPEG files. The code that is being used by Offline Explorer to parse JPEG files and get their dimensions (in pixels) is absolutely safe and it cannot be a source of any security flaw. It doesn`t read the whole JPEG file, but only its header, which doesn`t contain any virus part.

Best regards,
Oleg Chernavin
MP Staff
Guy Burkill 09/20/2004 10:03 am
And thank you for responding so fast!
So as I understand it, if I`ve patched IE (e.g. by running XP SP2) then OE is also made safe and there`s no need for any additional patch.
Thanks for the reassurance!
gb
Oleg Chernavin 09/20/2004 10:20 am
You are welcome!

Oleg.