Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw in Microsoft JPEG Parsing

Posted by timothy on from the some-sites-have-more-than-others dept.

KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."

42 of 555 comments (clear)

  1. If you think looking at images is safe... by apanap · · Score: 5, Funny

    ...you obviously never saw goatse...

    --
    Give me a job. Please?
    1. Re:If you think looking at images is safe... by Anonymous Coward · · Score: 1, Funny

      What the hell is goatse?

    2. Re:If you think looking at images is safe... by virid · · Score: 2, Funny

      It would best be described as hell itself.

      --
      "The world only exists in your eyes. You can make it as big or as small as you want." - F Scott Fitzgerald
    3. Re:If you think looking at images is safe... by apanap · · Score: 1, Funny

      Try googling for it...

      --
      Give me a job. Please?
    4. Re:If you think looking at images is safe... by savagedome · · Score: 5, Funny

      Well, let me try to phrase it as precisely as I can. "It's something that makes a man out of a boy, instantly".

      --


      Free XBox, PS2
    5. Re:If you think looking at images is safe... by Anonymous Coward · · Score: 5, Funny

      See this month's issue of Time.

    6. Re:If you think looking at images is safe... by John_Allen_Mohammed · · Score: 2, Funny

      from the wikipedia site,

      " After complaints to NIC.CX (the regulation authority of .cx domains) by an office worker named Rhonda Clarke of Christmas Island, the site goatse.cx was taken down Friday, January 16, 2004. (Goat.cx and Hick.org/Goat remain active.) A petition has even been launched to bring goatse.cx back. "

      A petition ? okay guys.

      this little experiment called mankind is now over, it has failed miserably. See you in the afterlife.

      --

      Skype Me! username: john_allen_mohammed
    7. Re:If you think looking at images is safe... by lateralus_1024 · · Score: 5, Funny

      1) Think of Goatse as a "portal".
      2) Goatse is a high bandwidth information highway in itself.
      3) Goatse can be a hiding place.
      4) Goatse tests the limits of humanity.
      I ran out of ideas, AC's of the world please fill in the rest...

      --
      If you think /. comments are bad, check out Digg.
    8. Re:If you think looking at images is safe... by ScrewMaster · · Score: 3, Funny

      Yes, and that man will require immediate hospitalization and long-term psychotherapy.

      --
      The higher the technology, the sharper that two-edged sword.
    9. Re:If you think looking at images is safe... by NanoGator · · Score: 2, Funny

      "What the hell is goatse? "

      Ever see a photo of Jack Valenti or Michael Eisner? It's sorta like that.

      --
      "Derp de derp."
  2. Users of WinXP SP2.. by Anonymous Coward · · Score: 2, Funny

    Are not affected, unless they have Office installed.

  3. Re:Why? by Anonymous Coward · · Score: 5, Funny

    because any lawyer that has a chance of winning already works for microsoft

  4. i knew it! by Coneasfast · · Score: 5, Funny

    and i was always telling everyone from the start, download your porn in png format.

    --
    Marge, get me your address book, 4 beers, and my conversation hat.
  5. Personal attack... by chill · · Score: 5, Funny

    I've been telling people for years "no, you can't get a virus from things like a JPEG picture. You're fine."

    Now this. Considering how many bugs are reported in all version of MS software, it is entirely possible that there are PERSONAL bugs. "This one is for Charles. Let's fuck with him."

    Sigh...

    -Charles

    --
    Learning HOW to think is more important than learning WHAT to think.
  6. WARNING - useless buzzword alert!!!! by Anonymous Coward · · Score: 5, Funny

    The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector". Sanction: exile from use of any computer, writing utensil or paint brush for 10 years.

  7. Microsoft should give up on IE by blcamp · · Score: 5, Funny


    They should forget about Internet Explorer and try thier hand on a different line of sofware... ...like, say, e-voting.

    --
    The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
  8. Thank god for ASCII pr0n! by shawnce · · Score: 5, Funny

    Don't worry folks you can still get your pr0n with out getting a social dease...

    www.asciipr0n.com

    1. Re:Thank god for ASCII pr0n! by rsteele19 · · Score: 2, Funny

      Just watch out for those nasty ANSI bombs...

      --

      This sig is umop apisdn.

  9. Pr0n by MastaBaba · · Score: 3, Funny

    Who said looking at Pr0n was safe?

  10. AOL art files by lateralus_1024 · · Score: 2, Funny

    pfft...maybe now they'll fully support AOL's .art files. Serves them right.
    *ducks*

    --
    If you think /. comments are bad, check out Digg.
  11. Aw, c'mon AC, RE: useless buzzword alert!!!! by flinxmeister · · Score: 4, Funny

    The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector".

    You're right, I should have said "Airpwn could leverage the synergies of this vulnerability and streamline the deployment...with or without interactive buy-in by stakeholders"

    Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.

  12. Buffer overflows are caused by lazy coders by techno-vampire · · Score: 3, Funny

    You don't allocate a buffer of fixed length unless you're lazy. You find out how long the input is, allocate a buffer big enough to fit then move the input to the buffer. When you're done you deallocate the buffer. Simple, safe and easy. I guess Micro$oft coders never learned how to practice safe hex.

    --
    Good, inexpensive web hosting
  13. Remember the days? by Garabito · · Score: 5, Funny
    When you tought you couldn't get a virus by opening a document in a word processor?

    Microsoft made it possible.


    When you assumed you couldn't get attacked by loading a web page?

    Microsoft made it possible, too.


    When you sweared you couldn't get infected just by receiving e-mail?

    Microsoft made it possible, again.



    And now, by the very same people who gave you all that...


    The JPEG parser vulnerability!!!


    God, this company has really brought innovation to the industry!

  14. This post is only directed towards Todd Walters by null+etc. · · Score: 5, Funny
    Todd Walters, remember 12 years ago in college when I told you that an exploit could theoretically take control of an operating system due to a flaw in the library that renders static graphics? And you said that no, only code that has a chance of executing can lead to exploits?

    I Told You So.

    BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.

    1. Re:This post is only directed towards Todd Walters by Kreigaffe · · Score: 3, Funny

      Wow, sounds like sooommmeone got served!

      --
      ... still waiting for this free-as-in-beer free beer I keep hearing about. :|
  15. Re:Oh my god by ArsonSmith · · Score: 4, Funny

    Ohh man I hope the first virus/worm/trojan based on this has is named after an STD.

    I was surfing porn and got herpies.

    That would be soooo funny.

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.
  16. [OT] Speaking of Parsing JPEGs... by 4of12 · · Score: 5, Funny

    Is there anykind of a browser plug-in I could use to deciper steganographically enhanced JPEG images that might just come over plain old unsuspicious unencrypted http?

    GIFs were evil, PNG support lacked transparency, now JPEGs can cause buffer overflows - I'd say that IE has an image problem... Excuse me while I just run away now.

    --
    "Provided by the management for your protection."
  17. Sexy virus by Anonymous Coward · · Score: 5, Funny

    So the next Anna Kournikova virus will actually be a picture of Anna Kournikova

    1. Re:Sexy virus by cyroth · · Score: 4, Funny

      Sorry but I fail to see a problem with this

  18. Sorry... by keiferb · · Score: 5, Funny

    On Microsoft products, porn screws YOU!

  19. Re:Damn It. by Anonymous Coward · · Score: 2, Funny

    "No program is perfect,"
    They said with a shrug.
    "The client is happy!
    What's one little bug?"

    But he was determined.
    The others went home.
    He dug out the flowchart,
    Deserted, alone.

    Night passed into morning.
    The room was cluttered
    With memory dumps, microfiche...
    "I'm close!" he muttered.

    Chain smoking, cold coffee,
    Logic, deduction...
    "I've got it!" he cried.
    "Just change one instruction!"

    Then change two. Then three.
    As year followed year,
    Strangers would comment,
    "Is that guy still here?"

    He died at the console
    Of hunger and thirst.
    Next day he was buried
    Face down, nine edge first.

    His wife, through her tears,
    Accepted his fate,
    Saying, "He's not really gone -
    He's just working late."

  20. Re:Todd Waters Here by Geoffreyerffoeg · · Score: 3, Funny

    He doesn't want to know. He's looking for a Todd Walters.

    Nice try for a troll, but you might want to spell your own name correctly next time.... :-)

  21. Re:Not the problem by MarkGriz · · Score: 4, Funny

    Does this also affect JPEG attachments in Outlook?

    Lets see....

    Ok, check your email now.

    --
    Beauty is in the eye of the beerholder.
  22. This happens to you when....... by kc_cyrus · · Score: 2, Funny

    This happens to you when you don't pay the appropriate licensing fees!

  23. My mother doesn't think so by runderwo · · Score: 2, Funny
    She always told me looking at images would make me go blind.

    --
    LRC, the best-read libertarian site on the web
  24. Close All Windows by picardsb · · Score: 2, Funny

    Performance rating - ms windows Listen to music insecure + Look at pictures insecure + Read a document insecure = Keep windows on insecure If there is no use of windows anymore then, Remedy is: No windows - only doors and walls please. Close windows.

  25. How dumb can they be by dynamo · · Score: 3, Funny

    Watch out for next week's critical flaw in MS Hello World.

  26. Right... by jack_csk · · Score: 2, Funny

    Next vulnerable file format is ASCII text file

  27. Re:Why? by kundor · · Score: 2, Funny
    The smart people don't have to pay the dell tax.

    see: http://newegg.com/

  28. The dickens, you say. by Anonymous Coward · · Score: 1, Funny
    The average layman uses Occam's Razor

    Average laymen program transputers?

  29. If I didn't see this on /. I'd think it was FUD by puffbunny · · Score: 1, Funny

    I'm just a Java programmer, but --- well, reading an "image" is just piping an input stream into a decoder object that would return a graphic object.

    Nowhere in this process could I imagine anything that would necessitate executing any data that might be an instruction.

    Read byte x, that is the red value for a specific pixel.. (I understand Jpeg is more complicated than this).. How could that "x" be a "format c:" DOS command?

    --

    -*-

    hitting bottom never felt so good

  30. Meanwhile, by Piquan · · Score: 4, Funny

    On a completely and totally unrelated topic, does anybody know where I can buy lots of banner ad space in bulk?