Windows Update confusion

Nelson Minar's experience with MS04-028 (the JPEG virus) mirrors my own:

Windows Update is one of the great unheralded Microsoft technologies. It really works. Well, mostly. I downloaded the various JPEG fixes from them and thought I was safe until I ran GDI Scan, a deep scan tool that tries to find vulnerable versions of the DLL. And it found a vulnerable version, C:\WINDOWS\system32\gdiplus.dll.

Now what do I do? I don't know where to get an update. Do I have to install Service Pack 2? Does that even fix the problem? I'm a software professional and I'm confused. What does the other 99% of the world do? [Nelson Minar: JPEG Vulnerabilities in Windows]
It's a great question. I recently patched a handful of Windows XP boxes, with varying combinations of XP Home or Pro, Service Pack 1 or 2, Office 2000 or XP. One of these boxes hadn't been updated in a while, which meant that the first thing Windows Update had to do was update itself. I'll bet a fair number of users would conclude that was the update and call it a day.

There were lots of other hoops to jump through. As Dan Farber observes, Firefox users need to switch back to MSIE. Office Update asks for the activation codes on CDs that many people will have lost. At one point you're invited to scan for other affected software, then told that the scan is only relevant to pre-XP systems, and redirected back to the Windows Update procedure that you were already in the middle of.

Microsoft was fairly aggressive about getting these patches out, but if the process of applying them bewildered me -- as it did Nelson -- there's no way civilians will find it comprehensible. Or that they'll locate and use the third-party GDI scanner which does a complete survey of your system, unlike Microsoft's own GDI scanner. Of course maybe that's just as well if, after finding a vulnerable copy of gdiplus.dll, even a savvy professional is left wondering "Now what do I do?"

It's really a shame that egress filtering, a la ZoneAlarm, didn't make it into XP SP2. I know Microsoft felt it might confuse people, but would it confuse them any more than a byzantine patch procedure whose outcome is uncertain?

Update: Phil Mitchell wrote to point out a tutorial that gives a concise explanation of how to use Tom Liston's GDI scanner. Thanks, Phil!

Former URL: