Slashdot Mirror
Flaw in Microsoft JPEG Parsing
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
(Glad I stuck with IE 5.01 sp3 on NT)
Man...talk about attack vectors. This would make a killer (as in bad) worm.
IM
Email
Browsers (probably several)
Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.
As usual, the writers of the "mitigating factors" section don't seem to have much imagination.
Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.
Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?
The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.
Call me old school, but remember back in the day when opening e-mail was ok, and that executable attachments were what we watched out for? Images were ok, MIDI files were ok, and a bit later, even MP3 files were ok.
Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.
Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
Watch great movie opening scenes!
I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
You make more money working for Microsoft than against them.
Give me Classic Slashdot or give me death!
Ah, this could probably be used as a heuristic in attaining the number of exploits on your machine. Staticticaly, it seems the amount of exploitable Microsoft software on your machine is directly proportional to the amount of Microsoft software on your machine.
Just add up how much MS software you have installed, multiply by factor X, being the average rate of exploits per package, and you know how many you have to find and correct.
I think that the kind of people who sue despite warning labels aren't going to be gunning for their OS Vendor (what's an OS? It's the computer's fault!). The average layman uses Occam's Razor to place blame on a computer. If something goes wrong it's most likely that their child did it or the computer is just broken and IBM or Dell is to blame.
EULA's are the reason smarter people don't sue. They exempt the software vendor from an unimaginable amount of liability without the user ever knowing unless they read it.
There appears to be nobody in the third group: the group that understands where the problem is but doesn't understand what EULA's do. They'd be the type to sue.
The 4th group, which understands what an EULA does but doesn't understand how computers work, is likely the group that writes EULA's.
Direct away from face when opening.
First, define trusted data. If you have a user, anything they produce should not be trusted. In other words, EVERYTHING is untrusted data. There's limits to how much you can sandbox and still run applications. Running every app in a VM with no access to any resources other than memory and the CPU wouldn't be a very useful environment. And anything else can't be trusted.
Secondly, you would then have issues with security problems in the VM. You don't think that would be perfect either do you?
I still have more fans than freaks. WTF is wrong with you people?
Well yea because you wouldn't expect a file cabnet to shred your files.
On the other hand Microsoft spent years conditioning people to belive that computers just randomly shred your files.
Paying taxes to buy civilization is like paying a hooker to buy love.
... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.
From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...
(That last comment is not meant to be taken too seriously)
A buffer overflow can be used to execute arbitrary code
This sig no verb.
"There is no way for an attacker to force a user to open a malicious file."
This has got to be one of the stupidest things MS has ever said.
It's called spam!!!
99.999% of email programs and browsers automatically "open" images for viewing
We all get spam
the image can be a logo or something nonsuspicious
embedded in the email
So you only have to read the email
to get infected
I hope now that png, mp3, and jpg decoders have had vulnerabilities people will be a little more careful in the future.
It isn't necessarily about being careful. If people were that careful about writing all their software, software would take ages to finish writing.
And even then there would still be security flaws. I think the saying about bugs goes something like "Any non-trivial program has at least one bug." I think the same could probably be said for security vulnerabilities.
Sure, we probably shouldn't be seeing buffer overflow exploits anymore considering the amount of attention they have gotten, but it isn't necessarily worth it to go back and review all your code just to find one type of vulnerability when others will be found eventually anyway.
GMail invites for completed freeipods.com of
A while ago, there was a source leak and someone found a vulnerability in the BMP shell. Is this related to the same thing?
A NYC lawyer blogs. http://www.chuangblog.com/
Yeah exactly. When I saw the grandparent post I slapped my forehead. The EULA clearly states that anything bad that happens to you isn't Microsoft's fault. Most software programs have that same clause in their license. If it weren't for that, Microsoft would have been killed by lawsuits years ago.
Other industries don't have that luxury though. An ice cream company can't say put a label saying if you die eating our product we can't be at fault. One reason is that the FDA would go after them. Another reason is nobody would then buy the ice cream. But since it's so common in the software industry, people don't think twice about agreeing to the EULA.
Microsoft rates the flaw "important" for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.
Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.
It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?
Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.
Ruby on Rails Screencast
I guess thats why people doing science research are no longer paying programmers.
Ahhh, what we have here is a bitter old man jealous of those with CS degrees.
Regexp on binary data? Good luck.
Preparse the data? What if your preparser has the flaw?
I guess when hacking your little math programs and Perl scripts you don't get much exposure to large projects. Build your doghouse and criticize the skyscraper architect.
I started using Linux 5 years ago (hello Mozilla M12 :^). This was -just- before the internet went to hell with email viruses, worms, spyware, etc. I've just recently bought a Mac laptop (so quiet! :^), and a big factor was that I don't want to deal with windows (ever. except at work, where they do the whole managed deployment things).
Basically: as difficult as it is to work with Linux (even Debian unstable. Vis: Wireless USB thingies, USB thingies in general, Kernel 2.6 upgrade + CDRom burning, etc), that pain is reduced 999x over by not having to run Ad-aware ever 2 hours, and not having to worry about patching the bug of the month that allows remote-root worms. At work I admin a little Debian-stable server because our IT/Unix department is mostly l4me, and have it set up to cron @daily apt-get "search for security updates" and email to our group. Get about 1-2 every other month, and that's with Known, Old software (provably more secure after every security bugfix). I can't imagine running windows for anything important. It's like being in middle-school with a big "Kick Me" sign taped to your ass.
--Robert
What'll go a long way to getting rid of buffer overflow exploits is execute-protected memory, which AFAIK AMD currently has, and Intel is playing catch-up to get. Stack/Heap memory is then non-execute enabled, and if you want to do something tricky like generate code on the fly, then you need to get the OS to allocate memory with execute permission set.
Then there's the 5th group, who realize that EULAs aren't worth the paper they're not printed on, but don't feel like wasting their personal fortunes fighting a case against a major corporation over what is most likely small claims. (less than $5000 damages)
Well, I disagree somewhat. There are things that have changed in the way applications are developed today vs. the way they were developed prior to the advent of sophisticated GUI-based operating systems. We depend on ever more complicated development tools over which we have less and less control. No matter how carefully we craft own own code, it doesn't make any difference in the end: we're totally dependent upon the work of thousands of other programmers, any one of whom may have left a hole.
Ultimately, I think it's really a result of extreme code bloat resulting from a market-driven approach to software development. When you get right down to it, from a productivity standpoint (and I don't mean watching videos and playing games) people do pretty much the same things with their computers today as they did a decade or more ago. But given the heavy emphasis by Microsoft (and others) on adding features to make each software generation more "advanced" and hence more marketable, operating system and application complexity is now orders of magnitude more complicated that it was just a few short years ago. This just provides room for a. more mistakes to be made and b. more opportunities to exploit said mistakes.
There have always been people willing and able to turn vulnerabilities into exploits, but prior to the opening of the Internet it was difficult to deliver an exploit to a target. Yes, people did propagate virii via floppy disks and shareware, but it was a painfully inefficient process. Nowadays, the Internet connects every one of those bastards to every one of us.
The higher the technology, the sharper that two-edged sword.
...knowing that my mail client doesn't even load images -- it just strips down all that HTML mess to plaintext. I never trusted pretty emails.
Honestly, looking at something like emails -- what does all this "meta deta" add that isn't available from plain text information content? Want a hyperlink, spell out its URL. Want some lines? Play around with hyphens. It's really not so bad, and so so much less dangerous.
Lets face it ... If Microsoft cannot even parse simple JPEGS without leaving a security hole why the hell do they have the position they hold in the marketplace today ?
.. they just make a product... The evidence is out there time and time again. YET! people still deploy it! you have to be blind (or damn stupid) to reccommend M$ as a safe platform on which a business depends. Why do people beleive it is "The best solution?" ? it beats me! (yay! employ me, I will reccommend to my boss a platform that is proven to be full of security holes, is unstable and is a sitting target for exploits)? Id be ashamed to reccommend M$ to anyone who employed me as a techie.
Microsoft != Security folks...
it might be marginally more freindly than Selected Choice Opposition, but the end of the day you have to question the people who chose to deploy M$ solutions. Dont Blame the boys in Redmond!
M$ depend on ignorance and bribery and FUD supllied to (stupid)systems people, I dont know a single M$ user that actually trusts the platform that they use, no matter how much they feel indebted to it!( they still get pissed of with it!) even if they are showing of their P4 HT 4ghz uber-spec system! Even joe sixpack hates those pop-ups and needs to call on geek friends to remove spyware! M$ is just shit point blanc! The only people that can be absolved are the "non-technical" people that simply assume, thats "just the way it is" accept it because they dont know otherwise.
I dont care how many anti-this, anti-that troll's and zealots there are. At the end of the daty there are people making decisions out there based on pretty pictures and not on proven facts.
The fact of the matter is that in black and white is if security, stability and cross-platform compatibility matter to you, M$ is not an option, it doesnt even enter the equation. Would you own up to reccommending M$ ? and on what grounds ?
Nick...
Electronic Music Made Using Linux http://soundcloud.com/polyp
Ford, Bank of America, Kodak, Eastman Chemical, DuPont, GE, and other fortune 500 companies are not small and they get sued all the time for minor matters like this. But Microsoft doesn't.
It's just something to think about. (Like the settle out of court and no one knows about the settlements.)
...small claims court? Cost you maybe 25 clams or something filing fee, and no one can have a lawyer in court. Challenge the dang EULA if you want. I think one way a challenge could come from is you can't sign a contract that gives up any of your rights,so the contract becomes null. Challenge even if you are just renting the software to use it, it says on the box "operating system", contains a browser and an internet/network connection as part to it. Do these things qualify as suitable for a purpose? In the EULA they claim they aren't, but on the box they sure say they are, else they wouldn't be called that. which is it then, which is the one the customer really sees, what do they advertise oin the box?
Do these products function? At best only intermittently. Is it suitable to use on the internet? Absolutely not, not as shipped they don't.
I honestly don't know if anyone has ever done it, who knows, maybe it would work. Do you have documentation for lost time, lost business, additional cost and expenses, etc? You'll need that paperwork as well.
Imagine a few hundred thousand small claims cases were microsoft (someone to be determined obviously) had to show up and defend themselves, and without a lawyer with them. Would be a hoot!
Anyway, I think it's time, if software can be profitted from,if software can be granted a patent as a product, it should be treated like any other product, it needs warranties like any other product has. Less releases, sure, probably happen. Better quality, most assuredly. I fail to see the problem in that. It would force PHB and marketing weasels into doing what I see developers claim they want all the time anyway, not ship something until it's done.
Are any other meat space products "perfect"? Nope. But good enough that every other business seems to be able to deal with it. It's time the software "industry" got forced into legally growing up, IMO.
...the color scheme of it.slashdot.org.
2 226226
http://shit.slashdot.org/article.pl?sid=04/09/14/
"Why doesn't someone sue Microsoft? "
Because Microsoft didn't commit the crime. The criminal who used the exploit did. It's fun to suggest things that would get MS in trouble, but if they were sue'able for this, every other product in the world that you like would be in danger, including Linux.
"Derp de derp."