Slashdot Mirror
Flaw in Microsoft JPEG Parsing
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
...you obviously never saw goatse...
Give me a job. Please?
Don't trust outside data. Don't developers think of these things?
Wait, stupid question.
If a small company releases a product and people get harmed the lawyers decend like a pack of wolves to sue them.
Why doesn't someone sue Microsoft? After all people sue companies all the time even if the product in question has warning labels.
"So all those times you told your parents/friends that looking at images was safe - well, not anymore."
Looking a kiddie porn isn't safe.. that can get you many years in jail.
(Glad I stuck with IE 5.01 sp3 on NT)
Man...talk about attack vectors. This would make a killer (as in bad) worm.
IM
Email
Browsers (probably several)
Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.
As usual, the writers of the "mitigating factors" section don't seem to have much imagination.
Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.
Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?
The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.
Are not affected, unless they have Office installed.
and i was always telling everyone from the start, download your porn in png format.
Marge, get me your address book, 4 beers, and my conversation hat.
...Everyone else uses libJPEG.
Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I've been telling people for years "no, you can't get a virus from things like a JPEG picture. You're fine."
Now this. Considering how many bugs are reported in all version of MS software, it is entirely possible that there are PERSONAL bugs. "This one is for Charles. Let's fuck with him."
Sigh...
-Charles
Learning HOW to think is more important than learning WHAT to think.
The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector". Sanction: exile from use of any computer, writing utensil or paint brush for 10 years.
Call me old school, but remember back in the day when opening e-mail was ok, and that executable attachments were what we watched out for? Images were ok, MIDI files were ok, and a bit later, even MP3 files were ok.
Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.
Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
there have been lots of image exploits put out there.
if memory serves there was even a png patch for linux this past summer.
gif exploits have been around for a while too.
the real worry here, as with most M$ security releases is how long they knew about it, and whether they waited until SP2 was released so they could say that their new software didn't have that vulnerability.
microsoft security department, we take orders from marketing!
---------
WAP software
They should forget about Internet Explorer and try thier hand on a different line of sofware...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Don't worry folks you can still get your pr0n with out getting a social dease...
www.asciipr0n.com
Who said looking at Pr0n was safe?
I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
This exploit has been around for at least two years. I've heard of people getting owned through AIM direct connections in particular. While I'm sure it would be fun to play around with, I suspect most programs wouldn't be vulnerable anyways (Microsoft products aside).
... you think?
"The dew has clearly fallen with a particularly sickening thud this morning"
The BMP remote flaw.
What kind of a world do we live in where you have to be careful opening pictures and movies?!!?!
You fool! Everybody knows that pr0n messes up your computer!
So why did you have to start a thread about it too?
Jees, I've got turned down so many times for relevant articles on here, how come this crap that we've all already read elsewhere, that isn't even that interesting, still gets let through?!
Jees, next there will be reposts about a map of the Simpsons town, oh wait....
#include <sig.h>
pfft...maybe now they'll fully support AOL's .art files. Serves them right.
*ducks*
If you think
Moran.
Now even porn is bad for us...
------ The best brain training is now totally free : )
The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector".
You're right, I should have said "Airpwn could leverage the synergies of this vulnerability and streamline the deployment...with or without interactive buy-in by stakeholders"
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
While normally I shrug off most Slashdot anti-MS FUD, I've got to admit, this one's going to be a huge pain in the ass to rollout.
Normally, I just read the whitepapers, run a test on a workstation then rollout a Windows update using the free SUS server. This one, I'm going to have to rollout the update (just for XP SP1 users), figure out an update plan for Office, figure out who actually uses those image programs, etc.
And here's a question: SP2 isn't affected. Why didn't they rollout this fix in SP1 *before* rolling out SP2, if they clearly knew it needed fixing. Most companies I know (mine included) are in the middle of testing SP2 migration plans. This adds another wrinkle to the whole process.
Before you get too high and mighty, check this article from just 4 days ago.
PNG is designed for compressing cartoon images. Though a lot can be found on the various hentai newsgroups and alt.binaries.pictures.erotica.disney, not everybody is into that.
Are you using IE? Shame on you. Go get Firefox.
Before you get too high and mighty, check this article from just 4 days ago.
sounds like you've got ad-ware.. is this on IE? if so then nothings off-limits, if not IE then thats just weird..
This comment does not represent the views or opinions of the user.
You don't allocate a buffer of fixed length unless you're lazy. You find out how long the input is, allocate a buffer big enough to fit then move the input to the buffer. When you're done you deallocate the buffer. Simple, safe and easy. I guess Micro$oft coders never learned how to practice safe hex.
Good, inexpensive web hosting
Microsoft made it possible.
When you assumed you couldn't get attacked by loading a web page?
Microsoft made it possible, too.
When you sweared you couldn't get infected just by receiving e-mail?
Microsoft made it possible, again.
And now, by the very same people who gave you all that...
The JPEG parser vulnerability!!!
God, this company has really brought innovation to the industry!
Before you get too high and mighty, check this article from just 4 days ago.
I'm not vulnerable: I surf the web with my eyes closed. [insert "patch" joke here]
Try getting the patch without using Windows Update. Can be done, but they don't make it easy. No help here
Update's too slow over dial up, and Comcast and Qwest already get too much of my money.
Never let a lack of data get in the way of a good rant.
... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.
From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...
(That last comment is not meant to be taken too seriously)
Are you telling me that I can now contract a virus just by LOOKING at Porn?!!!
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
I Told You So.
BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.
That really made my day after dealing with a bunch of PHBs all day long.
A buffer overflow can be used to execute arbitrary code
This sig no verb.
Is there anykind of a browser plug-in I could use to deciper steganographically enhanced JPEG images that might just come over plain old unsuspicious unencrypted http?
GIFs were evil, PNG support lacked transparency, now JPEGs can cause buffer overflows - I'd say that IE has an image problem... Excuse me while I just run away now.
"Provided by the management for your protection."
And that's just what happened. .NET Framework is heavily dependent on GDI+. Now you can use a managed software to hack the system.
If Yoda so strong in Force is, why words in right order he cannot put?
"There is no way for an attacker to force a user to open a malicious file."
This has got to be one of the stupidest things MS has ever said.
It's called spam!!!
99.999% of email programs and browsers automatically "open" images for viewing
We all get spam
the image can be a logo or something nonsuspicious
embedded in the email
So you only have to read the email
to get infected
Looks dangerous...
~G
(sorry couldn't resist)
...when it gets down to fundamentals, do what you have to do and shed no tears. Dr. Matson in Tunnel in the Sky
I'm guessing you have been a programmer for about 6 months.
So the next Anna Kournikova virus will actually be a picture of Anna Kournikova
On Microsoft products, porn screws YOU!
This is not off-topic. It is an Anonymous Coward, but he asks a legitimate question. I'm not going to answer it, nor am I sure whether it should be answered, but it is not off-topic to this thread. It in fact, would clarify the conversation.
And while you're looking here, go through my previous messages and mod them up. You can be kind of like a "cold-case" squad.
A NYC lawyer blogs. http://www.chuangblog.com/
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Time magazine obviously havent seen it either.0 ,16641,1101040920,00.html/
http://www.time.com/time/magazine/archive/covers/
Either that, or the cover designer has a fetish, and it's starting to show.
A while ago, there was a source leak and someone found a vulnerability in the BMP shell. Is this related to the same thing?
A NYC lawyer blogs. http://www.chuangblog.com/
Hmmm, no idea what that is about but does Todd Waters have the chance to patent this and sue MS for implementing it?
If you've got SP2 and an AMD64 chip, this is one great reason to use the no execute bit. I'll assume GDI+ won't mark picture data as executable.
Microsoft rates the flaw "important" for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.
Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.
It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?
Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.
Ruby on Rails Screencast
So all those times you told your parents/friends that looking at images was safe - well, not anymore."
If there was a way to do it wrong, Microsoft seems to have found it.
A feeling of having made the same mistake before: Deja Foobar
Many years ago, back when operating systems were worth using, processing an invalid data file would cause the processing to stop or the application to crash, at worst.
When did applications become so slipshod that a error in the data stream can turn into executable code? I realize this sort of thing comes out on Linux, as well. It always makes me wonder how long this has been sitting in someone's 0-day folder and being used on the unwitting populance.
They say that most exploits are of already acknowledged vulnerabilities. Why does no one acknowledge that, if a black hat is good enough to find a bug they haven't, the black hat is also good enough to cover his trail while he's pwning everyone?
+++ATHZ 99:5:80
So, this is probably an obvious question, but hell, let's get it out there...
Does this affect Firefox?
vk.
This is bad...Very bad... I usually am not an alamist, just keep things up to date and everything will work out. This allows some many routes of exploitation - just wait for the script kiddies to work their magic.
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
s/Microsoft/Government/
You hear a tinny voice off in the distance say, "That's not a bug, that's a feature."
A feeling of having made the same mistake before: Deja Foobar
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
While it is a real term, it's dubious value (unless you're a geek or wanna-be-geek-PHB who thinks it sounds cool to apply every military term to a computer parallel possible) in the technical arena - regardless of whether is has "reached convergence in teh buzzword mindshare yet" - is what makes it worthy of being flagged in violation.
Bzzzzt!
Sp2 is not affected. It smells like the new compiler switch avoided the flaw. One more reason to install SP2 to your friends & parents...
Before you get too high and mighty, check this article from just 4 days ago.
Actually, Microsoft is just copying someone else's ideas again
So first, I can't have sex, because there's no such thing as safe sex.
...and with that, I hide.
Now I can get a virus from downloading porn!?
Next you'll be telling me that I can't watch VHS tapes, because they'll inject malicious things into my proprietary bits.
It's only an insult if it's not true.
He doesn't want to know. He's looking for a Todd Walters.
:-)
Nice try for a troll, but you might want to spell your own name correctly next time....
Well, at least you can rest assured that, at the worst, it's your *computer* that gets infected with a computer virus, not you yourself with a biological virus ...
Hang on, I just noticed a web site with this news: "Microsoft announces new feature in WinXPhorn Avalon.NET OutlookPoint 2006: automatic administration of cholera vaccine simply by clicking on the VACCINATION button (requires use of new Fingerpoke Mouse hardware with Embedded Injection Technology from Microsoft)."
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
ASCII pr0n all the way!
Is doing anything online 100% safe anymore? Hell, just being online and doing nothing isnt even safe..
Brave new world.. Sux..
This is what happens when you have more complex systems then is reall needed just to have an extra feature to get people to 'upgrade'..
---- Booth was a patriot ----
ISBN 0-7645-4468-3
Privacy is terrorism.
The open source libjpeg that just about all open source software depends on has had its own share of problems.
It's good to see that file parsers, not something that traditionally recieves the degree of scrutiny that network-facing server code gets, are being examined for security vulnerabilities, though.
May we never see th
anyone know?
2 years and no mod points. Join reddit. Because openness is good.
I haven't run windows at home for 2 years, but I still have to talk to my mom, and her neighbors 1000 miles away cause they have Dell's with XP! regardless of what I've done from here their machines just get overrun with viruses or trojans. I've installed spybot, they have Mccafee running (supposedly) and now this.
I really wish my mom would get broadband so I could install/admin linux from here.
BC
free ipod and free gmail!
Nah, Linux is fine. Giving the average person a Linux box is the same as giving the same person a WIndows box with no power cord. They will be able to accomplish nothing.
Microsoft Security Bulletins RSS feed, to receive notifications of new patches ASAP
MBSA and HFNetChk, automated tools to check if your system is up to date (see also the qfecheck command to check the status of installed patches)
Windows Update: analyze and update your system from a web page
Microsoft Systems Management Server (prices and licensing), a solution for the management of Windows networks. Comes with support for automated deploying of patches
Make a difference - use Windows! (open source clone of Windows NT)
Time to hack a jpg on msn and hotmail to trigger downloads of Firefox and Thunderbird.
http://www.microsoft.com/security/bulletins/200409 _jpeg_tool.mspx
I presume flinxmeister actually meant to use the (micro-)biological term vector (disease/infection carrier), not the military term attack vector (where the meaning of vector wouldn't make sense in the context of his post).
all the spam mail I've been seeing lately with jpg attachments!
Wanna tell me again how all Microsoft vulnerabilties are exploited after the vulnerability is published?
Got to get the user to open a JPEG? Easy.
Imagine that I create an evil JPEG. Imagine that I put it on a P2P network as, say, the cover art and liner notes for Britney's latest. There, that was easy, wasn't it?
I guess you cant say that it's safe to look at porn anymore!
Patent: from Latin patere, to be open
"..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet."
That whole last post was good, but that end part! Denying a charge of buzzword abuse like that; it's beautiful! Bravo, and well done.
There are 01 kinds of cars in the world. The General Lee, and everything else.
Both vulnerabilities mentioned within the article have already been fixed by all major Linux distributions. Replacement of the vulnerable library packages is easy to do and does not impact any of the software that depends upon those libraries. Linux is inherently more securable than Microsoft's desktop environment and applications.
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
:P
Just you wait until there's a paradigm shift; all of the sudden, you'll have to be proactive and think outside the box and you'll say to yourself, "Who moved my cheese?"
Use one for important stuff, and the other to surf...
And make sure they knwo to expect to be hit and have to reload their 'web' comptuer often...
---- Booth was a patriot ----
One mitigating factor some of these news articles are omitting (and I just noticed): the JPEG parser runs with user permissions. So, a user can hose their directory instead of the entire system, assuming it's configured correctly.
Small consolation for home users, I know, but at least I won't need to worry as much for my domain users. I don't trust them with jack, and they're given the lowest permission level available above "computer completely turned off".
The actual updates are here:
n /ms04-028.mspx
http://www.microsoft.com/technet/security/bulleti
Windows Update wants you to download Windows XP SP2, which I'm not ready to do.
That when a Microsoft product has a problem with JPEG parsing it's front page news on /. and yet the dozen or so similarly bad libjpg bugs that were found and fixed, but only distributed at leasure, are never anounced?
Hmmm?
Avoid messy Windows and Office Updates and get what you need directly...
n /MS04-028.mspx
.NET framework are vulnerable too. Talk about multiple attack vectors!
http://www.microsoft.com/technet/security/bulleti
Note that you may have to patch SEVERAL microsoft products. (E.g., you need separate updates for IE6 SP1, VS.NET 2003, Office 2003...)
Note also that if you are running IE6 SP1 on *any* OS, you are vulnerable according to the bulletin.
Some versions of the
Not aimed at the original poster, just another kiddy rant.
From the top Google result for the airpwn project:
HTTP javascript alert boxes, letting people know just how pwned they were
Pwned? What kind of kiddies come up with this stuff; that's not even pronounceable. If you're going to make up some l33t term for kiddying somebody's box, at least make it pronounceable so that you can tell your friends what you did without sounding like a complete dumbass (you know...in person...you do talk to people in person, right?)
E.g.: "Haha, dude, I went to this coffeeshop, and everyone was on their like wireless thingamabobs, right? So I set up an injector node so that every image in the pages they loaded had little goatse's on them. I totally narfed them! I even popped up little boxes telling them how narfed they were."
Caveat Emptor is not a business model.
I tried updating Visio and Office. Both of the security update procedures insist on you inserting the exact same version of the installation CD that you used originally, otherwise they fail.
In my case, I have the disks from later versions of both products and these were rejected. (I think this NT-2000 installation was from a corporation that dropped dead a year ago and I never bothered reinstalling Office and Visio on top of the already existing installations.)
This means people who "borrowed" CDs for these two products are potential big fat targets.
Bill Gates gets to make another 10 billion dollars.
In how many subthreads are you going to post this? This is like the 5th time I've read this. You some kind of MS lackey?
...knowing that my mail client doesn't even load images -- it just strips down all that HTML mess to plaintext. I never trusted pretty emails.
Honestly, looking at something like emails -- what does all this "meta deta" add that isn't available from plain text information content? Want a hyperlink, spell out its URL. Want some lines? Play around with hyphens. It's really not so bad, and so so much less dangerous.
(See the link in the parent post.)
My first thought was that Time was exposing that Microsoft is behind/inside/running the US government.
Then I read the captions, and it's just something about how our borders are still open. Yeah, we're still the free country. No, our fight against terrorism is losing. Yay, we still have rights. No, we want the government to take those rights away. Yay, bring us your poor and tired, or at least they will be once they start working our overtime crazy schedules. No, I am not reading Time magazine to discover how they slanted it; I'd rather read Slantdot.
But watch out! That image of the magazine cover is a JPEG. Time magazine could be taking over your computer. (Pretending that anybody reading Slashdot is still using MSInternetExplorer.)
I spend my life entertaining my brain.
Because the small company can't afford to defend itself, Microsoft can. Some lawsuits are filed with the intention of settling for something less than what the defendant would have to pay to successfully defend themselves. Even when a small business is in the right they have to settle because it will cost less. When a company has enough resources, money or lawyers on staff, they will vigorously defend all lawsuits even when doing so costs more than a settlement would. This is to deter lawsuits where the plantiff knows they have no case.
I was gonna say something like "well at least it's good to see that Microsoft is reusing code!" but if you have to separately update each application, that's pretty lame. They get all the benefit of reuse but you still have to install redundant binaries all over the place?
Why isn't there just a shared library (or two or three, if there are incompatible versions) that needs to be updated at an OS level, fixing everything that links to it?
Lets face it ... If Microsoft cannot even parse simple JPEGS without leaving a security hole why the hell do they have the position they hold in the marketplace today ?
.. they just make a product... The evidence is out there time and time again. YET! people still deploy it! you have to be blind (or damn stupid) to reccommend M$ as a safe platform on which a business depends. Why do people beleive it is "The best solution?" ? it beats me! (yay! employ me, I will reccommend to my boss a platform that is proven to be full of security holes, is unstable and is a sitting target for exploits)? Id be ashamed to reccommend M$ to anyone who employed me as a techie.
Microsoft != Security folks...
it might be marginally more freindly than Selected Choice Opposition, but the end of the day you have to question the people who chose to deploy M$ solutions. Dont Blame the boys in Redmond!
M$ depend on ignorance and bribery and FUD supllied to (stupid)systems people, I dont know a single M$ user that actually trusts the platform that they use, no matter how much they feel indebted to it!( they still get pissed of with it!) even if they are showing of their P4 HT 4ghz uber-spec system! Even joe sixpack hates those pop-ups and needs to call on geek friends to remove spyware! M$ is just shit point blanc! The only people that can be absolved are the "non-technical" people that simply assume, thats "just the way it is" accept it because they dont know otherwise.
I dont care how many anti-this, anti-that troll's and zealots there are. At the end of the daty there are people making decisions out there based on pretty pictures and not on proven facts.
The fact of the matter is that in black and white is if security, stability and cross-platform compatibility matter to you, M$ is not an option, it doesnt even enter the equation. Would you own up to reccommending M$ ? and on what grounds ?
Nick...
Electronic Music Made Using Linux http://soundcloud.com/polyp
That is the most laughing I have ever done in my 4+ years on slashdot. This post should be a (+12) funny. Damn. Im still chuckling. Thanks, anonymous AC.
Ford, Bank of America, Kodak, Eastman Chemical, DuPont, GE, and other fortune 500 companies are not small and they get sued all the time for minor matters like this. But Microsoft doesn't.
It's just something to think about. (Like the settle out of court and no one knows about the settlements.)
This happens to you when you don't pay the appropriate licensing fees!
It isn't mentioned, but this JPEG vulnurability is already fixed in Windows SP2.
Get get off the Linux high horse. Unix' security model blows next to Windows' one. The main problem with Windows is the vast number of machines that are purposely running unsecured. If everyone logged into their Linux box as root all the time it would have the same problem.
Well, it wouldn't, because Linux market share is tiny. But on a per-machine basis the issues would be the same.
It doesn't keep you from generating code on the fly, only makes you be explicit about it.
No execute is a good thing. You just need to revise your code to deal with it if you generate code on the fly. Split code/data caches had EXACTLY the same problem, and they turned out to be really good things.
Hotmail does not automatically download images if you access it using Mozilla without "Accept all images". Even MS's navigation graphics do not appear using "Accept images that come from the originating server only" because the URLs for the images contain the IP Address!
---
I am still wishing Mozilla would add the ability to easily add domains/server/paths to the "Allow" list for image permissions. I am using Mozilla 1.6, so it is possible they figured out a better UI (by reading my posts?) to improve it in a more recent release. Without a good UI, functionality does not matter. Mozilla's 9 clicks to view a picture is excessive. (I just spent 5 hours designing a dialog box that has one set of radio buttons and one set of checkboxes. Now I have to make the functionality work.)
---
Somebody else already asked, but there were no answers. Does anybody know if Mozilla on MSWindows could be susceptible to this bug?
I took this news report as an opportunity to remind my friends and family to use Mozilla. Some of them are using Mozilla on MSWindowsXP. I told them they are safe from THIS Microsoft bug. Did I lie?
I spend my life entertaining my brain.
that is hilarious
1. Lemurs
2. ????
3. Profit
LRC, the best-read libertarian site on the web
Oh, if I only had mod points!
There: Something at a specific location.
Their: Owned by someone.
Please make sure your english compiles.
Check out Chad's News
I've been telling readers of my nontechnical security blog (http://www.berylliumsphere.com/security_mentor) to "stay out of bad neighborhoods". Obviously there's residual risk: legitimate sites do get compromised, eBay doesn't control the uploaded pictures, and so on. But there should be some risk reduction from avoiding warez/porn/spamvertised places.
Long term we may need to sandbox web and mail clients.
>Or just get them Macs.
May or may not help. It wasn't long ago that OS X had a remote compromise from visiting a web page. OS X has good DNA but it's also had less testing/debugging from bad guys. The big advantage of a Mac today is like wearing camouflage: you don't have to be bulletproof if nobody shoots at you.
Unfortunately that doesn't protect against exploits recoded as return-to-libc exploits.
This is real nasty. It looks like most versions of office as well as MS Works since 2000 are affected. See the Security Bulletin Any random word document with an infected embeded jpg is a transfer vector.
If you have Win 98, IE 6 needs patching.
I just did Windows Update from Win98SE.
Win 98 SE is vulnerable, unless you have completely removed IE 6 SP1 or maybe if you run an old IE.
IE 6 SP1 needs patching. I just ran Windows Update from a Win 98 SE system and it patched IE.
If it was a shared library other developers might have access. It's not Microsoft's job to make things easy for it's competition.
Performance rating - ms windows Listen to music insecure + Look at pictures insecure + Read a document insecure = Keep windows on insecure If there is no use of windows anymore then, Remedy is: No windows - only doors and walls please. Close windows.
Watch out for next week's critical flaw in MS Hello World.
Next vulnerable file format is ASCII text file
Just FYI, this is one of the greatest add-ons for Outlook. It allows you to completely disable HTML for incoming messages (which, in turn, lets you turn back on the PREVIEW pane!).
Further, you can specify precisely what extensions are to be trusted -- useful if you frequently email database files or other "forbidden" files to co-workers. While you can also do this with a registry hack, having it as an option panel in Outlook is nice.
BUT WAIT, THAT'S NOT ALL! It also allows you to minimize Outlook to your system tray when you minimize the window -- nice if you like to keep Outlook open all the time, but don't like it taking up valueable space.
It's also free, though it's so damned useful I suggest you donate some cash to the guy. Disclaimer: I don't work for the guy, I don't know the guy, but I love the software and have installed it on every networked machine at my office. It rules.
Once again, download it here.
sounds like you've got ad-ware.. is this on IE? if so then nothings off-limits, if not IE then thats just weird..
Both times Mozilla on FC2, on two different machines with two completely different networks.
I stole this Sig
From the advisory:
The JPEG parsing engine included in GDIPlus.dll contains an exploitable buffer overflow. When a specially crafted JPEG image is accessed through the Windows XP shell, a buffer overflow occurs potentially allowing an attacker to run arbitrary code on the affected system. Due to the pervasiveness of the affected dll there may be other vulnerable attack vectors.
For the full advisory please see: http://lists.seifried.org/pipermail/security/2004- September/004765.html
So all those times you told your parents/friends that looking at images was safe
Well, they told me that some types of images would make me go blind, but I kept looking at them anyways.Set one of these JPEG files as your avatar in MSN Messenger, and hack your whole contact list at once!
Karma: It's all a bunch of tree-huggin' hippy crap!
I suggest that you look it up to increase your knowledge in this area. It is imperative that you understand this widely-used term and study the pictures thoroughly.
...for different products.
Microsoft development -- who says you can't build quality products with ctrl-c / ctrl-v?!
so it doesnt require the CD. Yeah, I have mine - somewhere. Its not like I'm a heavy office user. Now ask your typical technophobe where her or his CD is. Especially for a computer thats a couple years old and everything came pre-installed.
Their Office Update implementation is even worse than you think. Lets say I have Office 2000 Small Business. Great, that disc won't work if the original install was Premium or any other version. Even Office 2000 SR-1 discs wont work with Office 2000. Come on, the binaries can't be that fucking different.
Officeupdate should be moved into windows update and MS should figure out a way to do these updates without a CD and still keep the download manageable. Heck, they dont even really do that, do they?
We spend all this time doing MS's work for them. Telling people about Automatic Updates, etc. Its only a matter of time before there is a new batch of Word and Excel based viruses (not to mention visio).
There are a lot of holes in Office. Lets see, the recent wordperfect converter expoit and the jpeg exploits are both buffer overruns. So even if you got the latest service pack after install (like I usually do) these two are just waiting to be abused and sadly people think automatic updates takes care of all this.
...small claims court? Cost you maybe 25 clams or something filing fee, and no one can have a lawyer in court. Challenge the dang EULA if you want. I think one way a challenge could come from is you can't sign a contract that gives up any of your rights,so the contract becomes null. Challenge even if you are just renting the software to use it, it says on the box "operating system", contains a browser and an internet/network connection as part to it. Do these things qualify as suitable for a purpose? In the EULA they claim they aren't, but on the box they sure say they are, else they wouldn't be called that. which is it then, which is the one the customer really sees, what do they advertise oin the box?
Do these products function? At best only intermittently. Is it suitable to use on the internet? Absolutely not, not as shipped they don't.
I honestly don't know if anyone has ever done it, who knows, maybe it would work. Do you have documentation for lost time, lost business, additional cost and expenses, etc? You'll need that paperwork as well.
Imagine a few hundred thousand small claims cases were microsoft (someone to be determined obviously) had to show up and defend themselves, and without a lawyer with them. Would be a hoot!
Anyway, I think it's time, if software can be profitted from,if software can be granted a patent as a product, it should be treated like any other product, it needs warranties like any other product has. Less releases, sure, probably happen. Better quality, most assuredly. I fail to see the problem in that. It would force PHB and marketing weasels into doing what I see developers claim they want all the time anyway, not ship something until it's done.
Are any other meat space products "perfect"? Nope. But good enough that every other business seems to be able to deal with it. It's time the software "industry" got forced into legally growing up, IMO.
...the color scheme of it.slashdot.org.
2 226226
http://shit.slashdot.org/article.pl?sid=04/09/14/
Ford, Bank of America, Kodak, Eastman Chemical, DuPont, GE, and other fortune 500 companies are not small and they get sued all the time for minor matters like this. But Microsoft doesn't.
...". Microsoft with its huge cash surplus can afford such resources. Were the companies that you list sued at their peak and did they settle or fight when they were at their peak? If they settled was it in the distant past before these nuisance lawsuits became a plague?
Were they settling nuisance lawsuits that would not have been won?
Size does not necessarily correlate with the ability to defend oneself. A large company can be in a very bad financial state and not have the necessary resources. Again, "When a company has enough resources, money or lawyers on staff,
I'm not going to tell you anything unless you pay me lots of money.
Average laymen program transputers?
If you could make it work through the browser/email client. Embed something labelled as "kiddy pr0n" and then doing something like email the IP address and a listing of JPG/avi/mpg files that aren't in temp internet files (I'm guessing some would have nice filenames indicating whether the person was actively a KP downloaded or accidental).
Porn makes my computer go blind
Table-ized A.I.
I'm just a Java programmer, but --- well, reading an "image" is just piping an input stream into a decoder object that would return a graphic object.
Nowhere in this process could I imagine anything that would necessitate executing any data that might be an instruction.
Read byte x, that is the red value for a specific pixel.. (I understand Jpeg is more complicated than this).. How could that "x" be a "format c:" DOS command?
-*-
hitting bottom never felt so good
Apparently they should have known about this, there's no other logical explanation for this :)
Anyway just goes to prove how underhanded MS really is . ("We already have a patch")
Quidquid latine dictum sit, altum videtur
It is my first one. I hope you to like it.
I see .Net is affected, you can't really be safe from overflows when much of your system is based on a foundation with so many holes...
.Net, .Net sseems to have similar security features but a lot more of its library code is going to be vulnerable to things like this as it makes heavy use of OS features.
This brings up a very real point that Java is really more secure than
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I can't imagine running windows for anything important. It's like being in middle-school with a big "Kick Me" sign taped to your ass.
:-)
I think you are pretty close, except that the sign is taped in the front.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
There's an old bug in Win2K which allows a buffer overflow in the kernel via a suitable .BMP file.
There's a lossless compressed form of .BMP files called RLE, for run length encoding. For some stupid reason, there's a decompressor for these things inside the Win2K kernel. Malformed .BMP files can cause a buffer overflow and system crash. This could probably be exploited into an attack.
On a completely and totally unrelated topic, does anybody know where I can buy lots of banner ad space in bulk?
Many systems map shared system libraries at fixed addresses. (Ie: Just set the return address to exec() and put "/bin/sh" on the stack)
- A picture is worth a 1000 worms
I bet this vulnerability was discovered about the same time the similar BMP privilege escalation buffer overflow was discovered reading alleged Windows NT source code. "Gee, if BMP is handled so badly, let's attack JPEG, PNG, GIF, TIFF,-- @rjamestaylor on Ello
Isn't it a reasonable assumption, that MSFT is using open source JPEG libraries just like anyone else? Shouldn't we audit libjpeg now, just to be sure?
cpghost at Cordula's Web.
"flaw in microsoft" haven't we all heard that before ?
Chris ,
Php Programmers.
ouch.
Don't you know you can go blind?!
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I didn't read the FA, but I doubt it would answer this question. Perhaps someone in the know might be able to answer. Why is the data segment executable in the first place? Seems to me that this would help avoid most of the "buffer overrun allowing arbitrary code to execute" problems. Non executable data segment means that you can only read and write. If you try to break the boundary of the data segment in an attempt to cross into the code segment...well, you get a GPF.
hahahahahah!
-73, de n1ywb
www.n1ywb.com
Hey, I just started getting ASCII porn SPAM!
It says that this is compliant with CAN-SPAM!
Believe it or else!!!
not safe for windows
Really, do you know if the JPEG decompression code in your favorite app or desktop is bug free? It's not so easy to write exploit free code for something like this without paying conscious effort to it, which is very rare in my experience. Consider that you need to range check just about all values and be very careful to make sure that some simple math which affects a pointer value is never used raw. Adding all of this to a JPEG decoder makes the code bulkier and makes it slower, which is why you don't see a lot of open source people rushing to do this. In fact, how many people run test suites on their image format decoders to ensure that they aren't exploitable? And if they do run test suites, how many people are really sure of the results? It's easy enough to have pointer overruns in C that go undetected, but can change critical values that affect other parts of the code. Scary.
What is the problem here?
:-)
i nuxholes_1.html
Lets face it, there will always be a flaw in software. There are even flaws in hardware. The first Pentiums even had flaws. The Windows OS is a HUGE system used in countless environments. You can't expect there to be no flaws, especially when the entire hacking world is trying to bring down or compromise the system.
Could it be Windows?
What people don't get is that Windows is an all-in-one system. You can't compare it to say, an IBM mainframe. These systems are designed mainly to do one or two jobs and are monitored by highly skilled system administrators who's job it is to protect these systems in the first place. In contrast, most Windows systems are administred by mom, dad and grandpa Felix.
Could it be DSL/Cable?
Broadband doesn't help any either. The amount of viruses produced and their intrusion success rate has increased since a lot of home computers are always connected to the outside world. Back in '82 viruses existed, but I never remember having to install virus software for my Apple IIe. Has the world changed?
Could it be Linux?
Then there is Linux. Linux is a great system, but again it is a MUCH simpler system compared to current Windows, has a much smaller install base and is obviously MUCH less hacked than Windows. Eventually, as this platform becomes more and more popular, you will begin to see more viruses written for it. I guarantee it.
No, the real problem here is UCC (Uneducated Consumer Computing). Dell, Gateway, Compaq, IBM. They all make it look so easy and pain free to own a computer. Most people I meet on service calls, don't even know what a virus is or even what spyware is, or that they can download free patches and programs like Spybot or Ad-Aware. Let me tell you, I've made more money installing and running Ad-Aware than anything else!! I'm sure you have too. Don't lie now!
And this trend won't go away either, regardless of OS or hardware. So get used to it. As long as UCC remains, we're all in for an earful of over zealous virus reporting by our wonderful, informative and helpful friends in the media. Besides $60 for an installation of Ad-Aware doesn't hurt the wallet either, especially in this IT economy!
Oh and by the way, for all you non-believers...
http://www.infoworld.com/article/04/09/09/HNmorel
Note also that if you are running IE6 SP1 on *any* OS, you are vulnerable according to the bulletin.
I came to this conclusion eventually despite the fact that Windows 98, Me etc. are listed in as 'Non affected software'. I initially read this as meaning that whatever version of IE you had, you were *not* affected if you were on Win98 etc.
The bulletin should make this a lot clearer.
For people who only know MS products, using computers has become synonym to getting digital virii/worms.
As a result, MS users have learned to live with security problems and virii/worms infections. I know some people who disable their firewall and AV software, so they can speed up their MS chat software (their 128 MB PC has become real slow after they installed XP Pro, but they blame the firewall I installed). :( .
They consider the then inevitable virii/worms infections as a part of live, and after all, it's somebody else who has to do the necessary reinstall of Windblows and apps
Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
Maybe related, but not directly. The BMP vuln was fixed way before the leak (and it was even exposed before that - but I digress).
Anyway, the BMP vuln got some additional press since it was the first published vuln in which the investigator specifically used the leaked code. With the increased attention, more people knew that image rendering was exploitable and probably investigated a possible JPG vuln.
I wouldn't conclude a direct link between this and the BMP vuln since the code snippet presented there was exclusive to BMP files/format.
Just got this in my email:
:
-- cut here --
Date: Wed, 15 Sep 2004 12:28:53 -0400
From: Matthias Clasen
Reply-To: fedora-list@redhat.com
To: fedora-announce-list@redhat.com
Subject: [SECURITY] Fedora Core 2 Update: gtk2-2.4.7-2.4
Fedora Update Notification
FEDORA-2004-289
2004-09-15
Product : Fedora Core 2
Name : gtk2
Version : 2.4.7
Release : 2.4
Summary : The GIMP ToolKit (GTK+), a library for creating GUIs for X.
Description
GTK+ is a multi-platform toolkit for creating graphical user interfaces. Offering a complete set of widgets, GTK+ is suitable for projects ranging from small one-off tools to complete application suites.
Update Information:
During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue.
During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783)
Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CAN-2004-0788)
-- cut here --
So.. Blaming MS for writing insecure image decoders is a bit hypocritical, don't you think?
Follow your Euro bills at EBT
I've had that horrible image seered into my brain before.
... odd.
What I didn't realize was that wiki (and possibly others) have actually started documenting it and listing who they think it might be.
I find that rather
Lost at C:>. Found at C.
something is missing! where is the link to the microsoft's update page in the story paragraph?
/. believe in windows users at all?
Does
Re:Damn It. (Score:-1, Flamebait) /.
by Anonymous Coward on Tuesday September 14, @09:06PM (#10251841)
Right!
This just proves what I always wondered about
Most people on here are hackers and have no idea how to write code. The fact they think it so easy... Says it all.
Think they are all a bunch of know-it-all...
We all know its true, not flamebait.
Knowlegeable comments are in the minority on Slashdot; but Slashdot is still worth reading because the TYPE of diamonds in the rough found here are EVEN MORE RARE on other sites.
I've finally learned that I have to use the "keep setup files" option and keep that huge pile of Office Setup Files around. Disk Clean-up always tries to get rid of them for me but have to keep them. I have the Office disks, but I keep everything packed away and it's a pain to dig them out. The reason they are needed, usually, is because of certain files that aren't needed any other time than during setup. Keeping the setup files on my PC keeps me from digging out the CDs for every service pack.
It's taken me how many years to figure this out? I wish someone would have explained this to me earlier.
The truth doesn't care what I think.
OK first of all: I'm not a lawyer, but...
If you ride a bike on a highly transited street, you obviously expose yourself to some risks. So it's not the bike maker's fault.
*HOWEVER*, if it's a FACT that when you ride the bike you'll _ALWAYS_ end up going to that dangerous street, _AND_ the bike maker doesn't offer you either alternative bikes or roads, then you can be SURE that it's the bike maker's fault. Either by action or by negligence.
When companies signed a contract with Microsoft and bought their products and FORCE YOU to use Microsoft products (they signed the contract, not you), then you could sue either the company, or Microsoft. And when the WHOLE BUSINESS MODEL forces you to use Microsoft Products (i.e. Word),
_AND_ by using the software you expose yourself to loss of data, or money (like working at home for something job-related), then the risk is INEVITABLE.
The key here, is that Microsoft doesn't give you A CHOICE. So in practical terms, you are FORCED (read: coerced) to use their products. Isn't coercion something that can invalidate a contract (it can invalidate marriages for what I know)?
When you take a risk because you had no choice, you are indeed affected by the person who forced you to take that risk. I think bosses have already been sued because their employees were taking UNNECESSARY RISKS.
So, I think there IS a possibility to sue Microsoft. For property damage, of course.
Isn't this a perfect program written by a perfect programmer?
C:\>debug
-a 100
134C:0100 int 20
134C:0102
-nbak2dos.com
-rcx
CX 0000
-w
Writing 00002 bytes
-q
C:\>bak2dos
C:\>
Of course, this kind of perfection depends on Intel and Microsoft. It appears my 'do nothing' program does just that. If it doesn't, blame it on Intel and Microsoft.
Of course, according to Murphy's Law, anything that can go wrong will go wrong either by accident, design, or (malicious) intent. Because of this, programmers (like me) should both code programs simply AND put themselves in the user's/badguy's shoes and try to anticipate potential problems and add sufficent code to deal with them beforehand.
As a result of this approach to programming, I had to make 2 quick updates to my software some time ago to solve two problems rather than 'lots and lots' of updates--why force the users to be beta testers when you don't have to?
FACT: It is NOT easy to write worthwhile, non-trivial software....
they track vulnerabilities reports
Yup. Select the vender
gewg_