Microsoft Win32 GDI Discussions
 
XP
(1)
PublicKeyToken
(1)
ProcessorArchitecture
(1)
Windows
(1)
Redistibutable
(1)
Downloaders
(1)
Exploits
(1)
Aa376609
(1)

GDI+ manifest dependency

Asked By znakeeye
13-Nov-09 09:40 AM
Reply
My application is dependent on GDI+. Since gdiplus.dll has a history
of critical exploits, I think it would be reasonable to require the
latest version. I put this in my application, and it seems to work
(the manifest points to the latest GDI+ version):

name='Microsoft.Windows.GdiPlus' version='1.0.6001.22319'
processorArchitecture='x86' publicKeyToken='6595b64144ccf1df'
language='*'\"")


Is this a good approach?

I would be very nervous explicitly targetting the latest version ofgdi-plus.

Chris Becke replied to znakeeye
13-Nov-09 06:55 AM
Reply
I would be very nervous explicitly targetting the latest version of
gdi-plus.

It would seem that a rational application would target the base version
that is known to be installed on XP or 2003

http://msdn.microsoft.com/en-us/library/aa376609(VS.85).aspx

The cool thing is, because the latest versions are installed with policy
files containing version redirection, your application will end up using
the most recent version (That is compatible with the version you
originally targetted) that has been installed via service packs or
security updates.

I do not buy the argument that its good (security wise) for applications
to target the most recent version of a library  in an effort to force
end users to upgrade old libraries (even if the old libraries do contain
known exploits).

Thanks for your reply.

znakeeye replied to Chris Becke
13-Nov-09 09:40 AM
Reply
Thanks for your reply.

I agree with you, but I wanted to hear it from somebody else.

So basically, targeting "any" version of GDI+ makes the user
responsible for using an up-to-date Windows installation? I am just
afraid many users do not update their systems and therefore my
application would be a possible target for hackers...

znakeeye wrote:That is true. But...

Chris Becke replied to znakeeye
13-Nov-09 09:14 AM
Reply
That is true. But... well I do not think it is a good idea to require
users to source the latest version of gdiplus themselves. If you bundle
the gdiplus redistibutable installer, I'd see nothing wrong with
targetting the bundled version.

If you care about making money in software you have to be aware of
filter effects. Each discrete step that users are expected to do reduces
the number of users who pass that step. So, out of ever 'N' users who
hear about your program, some % will download it. Some % of the
downloaders (not 100%) will actually start the install.exe.

Those who finish the install (again, a % less than those that started
the install, especially if you ask for any kind of registration info)
will actually run your program.

If you introduce a "please download and install this other package"
step, you will filter out again another % of your potential final users.
Previous Discussion:  A generic error occurred in GDI+
Post Question To EggHeadCafe