Slashdot Mirror
Flaw in Microsoft JPEG Parsing
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
Four letters: EULA
What is goatse? Look it up on wikipedia. The entry is goatse.cx. You'll be glad you didn't have to see the image.
http://en.wikipedia.org/wiki/Goatse.cx
Advice: on VPS providers
The full list of affected programs, from Microsoft's site:
.NET 2002 .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002. .NET 2003 .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003. .NET Framework 1.0 SP2 .NET Framework 1.0 SDK SP2 .NET Framework 1.1
* Windows XP
* Windows XP Service Pack 1 (SP1)
* Windows Server 2003
* Internet Explorer 6 SP1
* Office XP SP3
Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
* Office 2003
Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
* Digital Image Pro 7.0
* Digital Image Pro 9
* Digital Image Suite 9
* Greetings 2002
* Picture It! 2002 (all versions)
* Picture It! 7.0 (all versions)
* Picture It! 9 (all versions, including Picture It! Library)
* Producer for PowerPoint (all versions)
* Project 2002 SP1 (all versions)
* Project 2003 (all versions)
* Visio 2002 SP2 (all versions)
* Visio 2003 (all versions)
* Visual Studio
Note Visual Studio
* Visual Studio
Note Visual Studio
*
*
*
* Platform SDK Redistributable: GDI+
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
THAT is a classic. Thanks for that link.
Note to everyone else, It's safe to click on, but if you don't trust me, just go to time.com and take a look at the cover for the current magazine.
No weapon in the arsenals of the world is so formidable as the will and moral courage of free men.-Ronald Reagan
Sp2 is not affected. It smells like the new compiler switch avoided the flaw. One more reason to install SP2 to your friends & parents...
Wasn't there a vulnerability in *nix's libpng a short while ago, though?
Karma: It's all a bunch of tree-huggin' hippy crap!
SP2 changed all the core libraries to have protection from buffer overuns hence its not affected.
Have you ever been to a turkish prison?
first of all that article talks about a specific implementation of LHA (LHA is an old compression alg that i don't think anyone uses anymore), and imlib and as the article says its ALREADY FIXED, just upgrade imlib and unlha
and neither of these are linux, linux is the kernel.
I don't know the specifics here, but I can speculate.
They start loading the file and pretty much ask it "How big are you"? The file says something like -1. They then say ok, I need -1 memory so lets allocate -1 memory. They then proceed to turn over "ownership" of the entire computer to the image file. They then ask the file "Ok, so where does the next peice of the picture go?". The file then says "Ohhhh, why don't you clobber the most important thing in memory and put the 'picture' there!". The computer then proceeds to grab its next instruction, which now happens to come from the middle of the 'picture'. It just jumps into the middle of the picture as it it were an EXE file.
There are different variations, the stack, the heap, whatever. But that's the general idea.
In some ways it's really stupid for them to accept insane instructions from the picture like that, but on the other hand it's a semi-common and almost reasonable/lazy error. But no matter how you cut it, it is exactly the sort of thing they should have specifically looked for and it's appalling that they allowed it into the shipping product. They did the same sort of thing with bitmap files, they did the same sort of thing with media player files, the same sort of thing all over the place in reading e-mail files, they did in in gopher, they did it all over the browser, they did it freaking everywhere.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Go to securityfocus.com, they track vulnerabilities reports.
You guys ain't seen nuttin' yet. Have a peek at: http://joeclark.org/book/bawcover50.jpg
No longer true: after applying SP2, Outlook express by default does NOT show email images.
Michael
---
BDOS ERR ON A:>
the only reason I had to upgrade to XP is cause I got it for free and was using a pirated copy of 2000. Plus I found it had much better driver and game support than 2000 even though they are basically the same architecture. Go MS, makig 2 almost identical operating systems incompatible with some early drivers....
Two things are infinite: the universe and human stupidity, though I'm not yet sure about the universe. - A Einstein
The DEP feature (buffer overrun protection) of XP SP2, or its equivalent in the Linux and BSD worlds, is only available if you are running a K8 based (Athlon 64, Opteron, etc.) processor from AMD. Intel CPUs do not feature hardware-based buffer overrun protection, so this feature is not available on Intel-based x86 systems.