GDIPLUS.DLL security updates for VFP 8.0 and VFP 9.0

Submitted by Sergey on October 13, 2009 - 19:37 UTC
topic: 
vfp
vfp8
vfp9
security
mskb
update
gdiplus
kb971105
kb971104

MS security bulletin Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) lists MS products affected including VFP 8.0 and VFP 9.0. It supersedes MS security bulletin MS08-052 - Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593). I blogged about it at GDI+ security updates for VFP 8.0 and VFP 9.0

There's no security update for VFP 9.0 Service Pack 1. The gdiplus.dll has the file attributes (or later file attributes) that are listed in the following table:
File nameFile versionFile sizeDateTime
Gdiplus.dll5.2.6001.223191,748,99213-Aug-200909:55 EST
The gdiplus.dll can be downloaded directly at Platform SDK Redistributable: GDI+.

Comments

Submitted by Agnes on October 30, 2009 - 10:14 UTC
Hi Sergey,

does this hold the VFP_GDIPlus.msm as well?

Agnes

Submitted by Sergey on October 30, 2009 - 10:41 UTC
Hi Agnes,

I don't know for sure.

Submitted by Agnes on October 30, 2009 - 10:49 UTC
Can you check your merge module folder for datetime of the VFP_GDIPlus.msm? Mine is still 14.12.2004.

Can you also check for the version of gdiplus.dll itself? I have two comps here running W2K and XP but there is no new version of GDIPlus.dll installed.

TIA

Submitted by Sergey on October 30, 2009 - 10:58 UTC
The VFP_GDIPlus.msm on my PC wasn't updated either.
The update will not install new version of GDIPlus.dll if original VFP installation didn't install it. It could happen when GDIPlus.dll version on PC where never than one that comes with VFP.

Submitted by Agnes on October 30, 2009 - 11:17 UTC
So how do we get the new GDIPlus.dll to customers comp the smart way?
I can recreate the msm but I hate this.

Submitted by Sergey on October 30, 2009 - 11:21 UTC
A lot of people are using <a href="http://www.jrsoftware.org/isinfo.php">Inno Setup</a> that does not require MSM files.

Submitted by Agnes on October 30, 2009 - 11:33 UTC
I know.

But I have those old ISD license and all the work in it's scripts. (And no time left for learning the odds of inno setup).

Looks like I fake the msm, it's not that much work with ISD. (^.^)

Agnes

Submitted by Agnes on November 5, 2010 - 12:56 UTC
Hi Sergey,

I've created a <a href="/files/VFP_GDIPlus_dll.zip">modified merge module</a> with the updated version. It contains the GDIPlus.dll Version 5.2.6001.22319. All properties exposed to the installer are untouched , except the file version. The new file is 1.010.176 2010/11/05 09.08.18.
It's renamed from "VFP_GDIPlus.msm" to "VFP_GDIPlus_dll.msm". One needs to replace the original "VFP_GDIPlus_dll.msm".


Agnes

Submitted by Carlos Alloatti on December 23, 2010 - 21:33 UTC
Any idea on how to install this update?

Submitted by Sergey on December 23, 2010 - 23:04 UTC
Hi Carlos,

There're a few ways to install updates
<ul>
<li>Direct download from Microsoft <a href="http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6a63ab9c-df12-4d41-933c-be590feaa05a#tm">Platform SDK Redistributable: GDI+</a>
<li><a href="/files/VFP_GDIPlus_dll.zip">Modified merge module</a> created by Agnes
<li>Copy the right version of Gdiplus.dll into your application folder during installation
<li>The runtime installers for VFP 8.0 - VFP 9.0 SP2 from wOOdy's page at http://code.msdn.microsoft.com/FoxPro/Release/ProjectReleases.aspx?ReleaseId=125 that include security fixes and hotfixes.

</ul>

Sergey

Submitted by Jon on November 3, 2015 - 20:50 UTC
You stated above that "There's no security update for VFP 9.0 Service Pack 1." But there is: https://support.microsoft.com/en-us/kb/955369