Slashdot Mirror
Flaw in Microsoft JPEG Parsing
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
Four letters: EULA
What is goatse? Look it up on wikipedia. The entry is goatse.cx. You'll be glad you didn't have to see the image.
http://en.wikipedia.org/wiki/Goatse.cx
Advice: on VPS providers
The full list of affected programs, from Microsoft's site:
.NET 2002 .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002. .NET 2003 .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003. .NET Framework 1.0 SP2 .NET Framework 1.0 SDK SP2 .NET Framework 1.1
* Windows XP
* Windows XP Service Pack 1 (SP1)
* Windows Server 2003
* Internet Explorer 6 SP1
* Office XP SP3
Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
* Office 2003
Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
* Digital Image Pro 7.0
* Digital Image Pro 9
* Digital Image Suite 9
* Greetings 2002
* Picture It! 2002 (all versions)
* Picture It! 7.0 (all versions)
* Picture It! 9 (all versions, including Picture It! Library)
* Producer for PowerPoint (all versions)
* Project 2002 SP1 (all versions)
* Project 2003 (all versions)
* Visio 2002 SP2 (all versions)
* Visio 2003 (all versions)
* Visual Studio
Note Visual Studio
* Visual Studio
Note Visual Studio
*
*
*
* Platform SDK Redistributable: GDI+
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
Before you get too high and mighty, check this article from just 4 days ago.
sounds like you've got ad-ware.. is this on IE? if so then nothings off-limits, if not IE then thats just weird..
This comment does not represent the views or opinions of the user.
Before you get too high and mighty, check this article from just 4 days ago.
THAT is a classic. Thanks for that link.
Note to everyone else, It's safe to click on, but if you don't trust me, just go to time.com and take a look at the cover for the current magazine.
No weapon in the arsenals of the world is so formidable as the will and moral courage of free men.-Ronald Reagan
Sp2 is not affected. It smells like the new compiler switch avoided the flaw. One more reason to install SP2 to your friends & parents...
Wasn't there a vulnerability in *nix's libpng a short while ago, though?
Karma: It's all a bunch of tree-huggin' hippy crap!
SP2 changed all the core libraries to have protection from buffer overuns hence its not affected.
Have you ever been to a turkish prison?
>
> Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
Ah, but in a world of closed-source third-party software, who's "everyone"? Without a sample JPEG as a proof-of-concept of the vector, there's no trivial way to tell whether FooView32.exe v1.03, or BarSee.exe v4.9 uses and/or was built with the affected components.
This is a real-world issue. Anyone who uses a digital camera frequently will probably end up using third-party image viewer/library software, because the image-viewing capability built into IE is unusable for even semi-serious work.
Microsoft Security Bulletins RSS feed, to receive notifications of new patches ASAP
MBSA and HFNetChk, automated tools to check if your system is up to date (see also the qfecheck command to check the status of installed patches)
Windows Update: analyze and update your system from a web page
Microsoft Systems Management Server (prices and licensing), a solution for the management of Windows networks. Comes with support for automated deploying of patches
Make a difference - use Windows! (open source clone of Windows NT)
http://www.microsoft.com/security/bulletins/200409 _jpeg_tool.mspx
first of all that article talks about a specific implementation of LHA (LHA is an old compression alg that i don't think anyone uses anymore), and imlib and as the article says its ALREADY FIXED, just upgrade imlib and unlha
and neither of these are linux, linux is the kernel.
"nine edge" is the bottom of an IBM punchcard. had to load them "face down nine edge" first into the reader...
You may have overflowed the buffer, but I'd bet you weren't executing code in that buffer.
That, if I understand correctly, is what DEP protects against. (Hence the acronym: data execution protection.)
Well, in the USA at least, their is. The do not have nutritional info on them, that is why they say that. It stops people from suing them.
;->
Damn lawyers
Avoid messy Windows and Office Updates and get what you need directly...
n /MS04-028.mspx
.NET framework are vulnerable too. Talk about multiple attack vectors!
http://www.microsoft.com/technet/security/bulleti
Note that you may have to patch SEVERAL microsoft products. (E.g., you need separate updates for IE6 SP1, VS.NET 2003, Office 2003...)
Note also that if you are running IE6 SP1 on *any* OS, you are vulnerable according to the bulletin.
Some versions of the
Gees! You have no idea what you are talking about.
That would make it really slow. We are not just talking about a few buffers. There are tons of them while rendering a JPEG.
I use various bounds checker while I am working with debug code... It sooo slow. It is turned of in release mode for a reason. Even still the bound checker doesn't catch everything.
I must ask how much people will be willing to pay for warrantied software.
It's available, sort of.
It's called a "Service Level Agreement". SLAs are horrendously expensive, but big companies pay up because getting stuck without an SLA is even more expensive.
You make the mistake of thinking you can educate the fundamental stupidity out of people. You can't.
http://www.amazon.com/exec/obidos/tg/detail/-/1593 270070/qid=1095209608/sr=8-1/ref=sr_8_xs_ap_i1_xgl 14/104-2507909-9190336?v=glance&s=books&n=5078 46
Reading the buffer overflow section of the book I linked will answer ALL your questions. It's a very good book.
Here's a very quick explanation: Due to a buffer overflow in the jpeg parser, the stack gets overwritten. If the stack is overwritten by a carefully crafted messsage, it will make the CPU jump to the address of where malicious code is and it gets executed. The book explains things in a LOT more detail with source code example.
I don't usually try to advertise stuff, but I really enjoyed this book. Anyone that wants to know how exploits work, should read it.
I don't know the specifics here, but I can speculate.
They start loading the file and pretty much ask it "How big are you"? The file says something like -1. They then say ok, I need -1 memory so lets allocate -1 memory. They then proceed to turn over "ownership" of the entire computer to the image file. They then ask the file "Ok, so where does the next peice of the picture go?". The file then says "Ohhhh, why don't you clobber the most important thing in memory and put the 'picture' there!". The computer then proceeds to grab its next instruction, which now happens to come from the middle of the 'picture'. It just jumps into the middle of the picture as it it were an EXE file.
There are different variations, the stack, the heap, whatever. But that's the general idea.
In some ways it's really stupid for them to accept insane instructions from the picture like that, but on the other hand it's a semi-common and almost reasonable/lazy error. But no matter how you cut it, it is exactly the sort of thing they should have specifically looked for and it's appalling that they allowed it into the shipping product. They did the same sort of thing with bitmap files, they did the same sort of thing with media player files, the same sort of thing all over the place in reading e-mail files, they did in in gopher, they did it all over the browser, they did it freaking everywhere.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Go compare the number of vulnerabilities in IIS6 and Apache 2, you'll be very surprised.
How can I do a comparison - is there any website doing such a comparison?
Go to securityfocus.com, they track vulnerabilities reports.
If you have Win 98, IE 6 needs patching.
I just did Windows Update from Win98SE.
You guys ain't seen nuttin' yet. Have a peek at: http://joeclark.org/book/bawcover50.jpg
No longer true: after applying SP2, Outlook express by default does NOT show email images.
Michael
---
BDOS ERR ON A:>
Isn't that one of the classic ways a buffer-overflow condition can exist? You're not bothering to check the actual length of your input; you're assuming it will be within bounds.
First rule of secure programming: don't trust the input.
Vintage computer games and RPG books available. Email me if you're interested.
the only reason I had to upgrade to XP is cause I got it for free and was using a pirated copy of 2000. Plus I found it had much better driver and game support than 2000 even though they are basically the same architecture. Go MS, makig 2 almost identical operating systems incompatible with some early drivers....
Two things are infinite: the universe and human stupidity, though I'm not yet sure about the universe. - A Einstein
No - to goatse.cx!
.
/plp56/ - Another interview, this one with a French man who some have claimed to be the Goatse Man. WARNING! This page contains pornographic material similar to that at Goatse.cx. /index .htm - Photographs of a man named Kirk Johnson, who some claim to be the Goatse man. WARNING! This page contains pornographic material similar to that at Goatse.cx. .jpg - Kirk Johnson's "Lensman" photograph. The image is also on the detroithardcore.com main page.
Here you go!
From Wikipedia:
WARNING! All of these addresses lead directly to the pornographic image described above.
The website is available from at least six other locations, all of which are still up:
http://hick.org/goat/ also http://198.247.175.96/goat/
http://retropay.com/g oatse/goatse.cx/
http://web.archive.org/web/20030 623201150/http://g oatse.cx/
http://synflood.at/mirrors/goatse.cx/
http://www.goatse.org/mirror/
These sites have the same contents as Goatse.cx before it went down.
Another mirror, apparently from an older version of the site, is available at http://goat.cx/ The GNAA states that it operates that site [1]
http://goatse.cc/ and http://notyet.goatse.cc are the same except for the two links in the "Receiver" section. (Johnnyversace.com)http://johnnyversace.com) and Boards.ie are linked to instead of Urinal Poop and Dolphin Sex.)
http://www.rokbom.com, which is a "front page" for a personal website (http://rokbom.com/index.php, linked by an additional "Rokbom" link). The receiver page lacks the "merchandise" string that the current version has, suggesting that the front is a mirror of an older version of goatse. The modified contrib section has the text "A small request: SUP XXX JASON IS THE RECEIVER" in addition to other content, and the text "Our first Christmas present: A collage from the people at holyzoo.com! Thank you!" is present, unlike in the current version of Goatse; the image is on both sites, however.
http://www.goatse.ca, which only has the "Receiver" section. Instead of Dolphinsex and Urinal Poop, the text "Fight Censorship!" is below hello.jpg.
http://www.lagnet.co.za, which only has hello.jpg and the text "I SUBSCRIBED TO TELKOM'S ADSL AND LOOK WHAT HAPPENED TO ME!!!"
External links
http://goatse.cx/ - Leads to the notice of the domain suspension.
http://www.supa-gangstaz.tk - Redirect to goat.cx that also spawns numerous popups with hello.jpg.
http://hick.org/goat/index-orig.html - The Goatse page at a new location. WARNING - This leads to the picture described above.
http://www.hick.org/goat/mail.html - "Feedback" subsection with reader email selections. This page does not contain pornographic images.
http://www.hick.org/goat/contrib/gap.zip and http://www.exet.nu/html/bildarkiv/goatse.shtml - Links to gap.zip
http://www.hick.org/goat/loopback.jpg - The loopback.jpg picture. WARNING - This leads to pornographic material
http://www.hick.org/goat/contrib/hello.m pg - The hello.mpg movie. WARNING - This leads to pornographic material
http://www.roflmao.com/hatejob - A redirect to Goat.cx
http://www.stileproject.com/ - located the complete image set. WARNING! This site contains pornographic and potentially offensive materials.
http://www.fc-uk.org.uk/goatse/index.h tml - A satirical fictional interview with Bob Goatse.
http://www.bmezine.com/news/people/A20210
http://mjt.nysv.org/ - has a goatse tribute section.
http://sam.zoy.org/fun/goatse/ - has a comprehensive goatse tribute section with many well-known (and many lesser-known) photoshoppings of the images from the site
http://adult.pornparks.com/rosebutt/kirk/001
http://www.detroithardcore.com/lensman
See the official complaint (PDF) by an individual named Rhonda Clarke [2] , the official note (PDF) to the domain's registrant and the current state of the
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
The DEP feature (buffer overrun protection) of XP SP2, or its equivalent in the Linux and BSD worlds, is only available if you are running a K8 based (Athlon 64, Opteron, etc.) processor from AMD. Intel CPUs do not feature hardware-based buffer overrun protection, so this feature is not available on Intel-based x86 systems.
The majority of posts seem to indicate that you need to open the jpg or open an attachment, or use a different browser, or a simple patch to the OS will fix the problem. This is all not true
The problem is the way jpg files are processed. A specific DLL (I forget the name) used by the OS is to blame. If you view an infected jpg file from ANYWHERE, email, attachment, on the web, in a word doc, anywhere, the embedded file will execute and infect your machine.
Thats not the worst part though. Its trying to patch your system. Its not just the OS that processes jpg files. Any microsoft office product has its own versions of the dll. 3rd party software has its own versions. And while they all share the same name, they are not the same file, so it is not just a simple find and replace. This will involve a whole series of patches!