GDIPLUS.DLL security updates for VFP 8.0 and VFP 9.0

MS security bulletin Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488) lists MS products affected including VFP 8.0 and VFP 9.0. It supersedes MS security bulletin MS08-052 - Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593). I blogged about it at GDI+ security updates for VFP 8.0 and VFP 9.0

There's no security update for VFP 9.0 Service Pack 1. The gdiplus.dll has the file attributes (or later file attributes) that are listed in the following table:
File nameFile versionFile sizeDateTime
Gdiplus.dll5.2.6001.223191,748,99213-Aug-200909:55 EST
The gdiplus.dll can be downloaded directly at Platform SDK Redistributable: GDI+.


Hi Sergey,

does this hold the VFP_GDIPlus.msm as well?


Hi Agnes,

I don't know for sure.

Can you check your merge module folder for datetime of the VFP_GDIPlus.msm? Mine is still 14.12.2004.

Can you also check for the version of gdiplus.dll itself? I have two comps here running W2K and XP but there is no new version of GDIPlus.dll installed.


The VFP_GDIPlus.msm on my PC wasn't updated either.
The update will not install new version of GDIPlus.dll if original VFP installation didn't install it. It could happen when GDIPlus.dll version on PC where never than one that comes with VFP.

So how do we get the new GDIPlus.dll to customers comp the smart way?
I can recreate the msm but I hate this.

A lot of people are using <a href="">Inno Setup</a> that does not require MSM files.

I know.

But I have those old ISD license and all the work in it's scripts. (And no time left for learning the odds of inno setup).

Looks like I fake the msm, it's not that much work with ISD. (^.^)


Hi Sergey,

I've created a <a href="/files/">modified merge module</a> with the updated version. It contains the GDIPlus.dll Version 5.2.6001.22319. All properties exposed to the installer are untouched , except the file version. The new file is 1.010.176 2010/11/05 09.08.18.
It's renamed from "VFP_GDIPlus.msm" to "VFP_GDIPlus_dll.msm". One needs to replace the original "VFP_GDIPlus_dll.msm".


Any idea on how to install this update?

Hi Carlos,

There're a few ways to install updates
<li>Direct download from Microsoft <a href="">Platform SDK Redistributable: GDI+</a>
<li><a href="/files/">Modified merge module</a> created by Agnes
<li>Copy the right version of Gdiplus.dll into your application folder during installation
<li>The runtime installers for VFP 8.0 - VFP 9.0 SP2 from wOOdy's page at that include security fixes and hotfixes.



You stated above that "There's no security update for VFP 9.0 Service Pack 1." But there is: