MS08-052: Vulnerabilities in GDI+ - Visual Studio 2008

(imported topic written by SystemAdmin)

We just realized we are not able to push this out using BigFix. The fixlet states: “Note: Due to the complexity of this patch, it must be completed manually”.

I dunno, seems kinda funny. I just applied the patch manually to a test system and all it took was this:

“ReportViewer.exe” /q

“VS90-KB952241-x86.exe” /q /norestart

Looks like the only prereq is .net 3.5 and installer 3.

Now upper manangement is asking why our patch management solution can’t patch our environment. We are created a custom fixlet, but this seems like a big omission by BigFix. If MS can patch it via windows update, BigFix should be able to do it as well.

Thoughts, Comments, Offical Response?

(imported comment written by BenKus)

Hi jspanitz,

There are 54 Fixlets for all different applications associated with this bulletin. It looks like only the Visual Studio Fixlets can’t be installed. I will check with the Fixlet team, but usually this means that there is a significant problem with patch deployment that can cause problems.

I am also intrigued that the Visual Studio Patches are rated as a “Security Rating” of “None”…


(imported comment written by SystemAdmin)

Thanks Ben. I am basing the patch requirements off of the windows update site.

I’m interested in hearing what you come up with.

I do see that it has a security rating of None. Wierd.

(imported comment written by jeremylam)

From what I understand, the vulnerability does not lie in Visual Studio itself, but the applications that it creates. From the

Security Bulletin


Customers are potentially at risk if third party applications do not follow the recommended best practices and instead redistribute an old version of gdiplus.dll with their application.

(imported comment written by rwest23)

Hi jspanitz ,

BigFix tested this Fixlet several times and found that in almost all cases it failed with a “Hotfix Installer Error,” indicating to us that the patch was not reliable and should not be able to be deployed through our published content. However, you are welcome to attempt to deploy the patch through a Fixlet, just please be aware that you do so at your own risk. I’ve uploaded a Fixlet with action included


. Please let us know if you have any other questions.


(imported comment written by SystemAdmin)

Much appreciated! We have not had the failure issue you had. The fixlet is apprecieted (Wierd you had to host it on a free file sharing site)!

(imported comment written by BenKus)

Hi jspanitz,

Randy didn’t have access to our download servers to post it… I put it up (and updated his link):

Right-click save to download…


(imported comment written by SystemAdmin)

Excellent. Thanks Again!