Slashdot Mirror


Flaw in Microsoft JPEG Parsing

KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."

23 of 555 comments (clear)

  1. Combined with airpwn.....wow by flinxmeister · · Score: 4, Insightful

    (Glad I stuck with IE 5.01 sp3 on NT)

    Man...talk about attack vectors. This would make a killer (as in bad) worm.

    IM
    Email
    Browsers (probably several)
    Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.

    As usual, the writers of the "mitigating factors" section don't seem to have much imagination.

    Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.

    Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?

  2. Not the problem by MikeMacK · · Score: 5, Insightful
    "The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image," Microsoft said in a statement. "There is no way for an attacker to force a user to open a malicious file."

    The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.

    1. Re:Not the problem by Carnildo · · Score: 4, Insightful

      Sounds to me like it should be sufficient simply to have a tainted JPEG image on a web page.

      --
      "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
    2. Re:Not the problem by JayJay.br · · Score: 5, Insightful

      I would go even further: opening a specially crafted image is automatic if it is inside an HTML page.

      How easy would it be to make a website about almost anything and containing one of these babies?

      On a sidenote, would Firefox on Windows be vulnerable? Does it use Microsoft's JPEG library or does it have libjpeg embedded?

  3. Back in the day by Eberlin · · Score: 5, Insightful

    Call me old school, but remember back in the day when opening e-mail was ok, and that executable attachments were what we watched out for? Images were ok, MIDI files were ok, and a bit later, even MP3 files were ok.

    Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.

    Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.

  4. Re:Why? by bonniot · · Score: 4, Insightful
    Uh.. Because losing some data, while sucky, is hardly the same thing as, say, losing an eye? Or your life? Try to put things in some perspective.
    Don't you think that a company that sold file cabinets that accidentally shred documents once in a while would be sued?
  5. Spin Control by Wanker · · Score: 5, Insightful
    From http://www.microsoft.com/technet/security/Bulletin /MS04-028.mspx:
    In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.


    I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
  6. Re:Damn It. by Portigui · · Score: 5, Insightful
    Don't trust outside data. Don't developers think of these things?
    Of course we think of things but it is never possible to think of every possible scenario when you are punching out applications with hundreds of thousands lines of code. An old college professor of mine once said: "There is no such thing as a perfect programmer. Those that think they are, are either a fool or a liar."
  7. Re:Why? by St.+Arbirix · · Score: 4, Insightful

    I think that the kind of people who sue despite warning labels aren't going to be gunning for their OS Vendor (what's an OS? It's the computer's fault!). The average layman uses Occam's Razor to place blame on a computer. If something goes wrong it's most likely that their child did it or the computer is just broken and IBM or Dell is to blame.

    EULA's are the reason smarter people don't sue. They exempt the software vendor from an unimaginable amount of liability without the user ever knowing unless they read it.

    There appears to be nobody in the third group: the group that understands where the problem is but doesn't understand what EULA's do. They'd be the type to sue.

    The 4th group, which understands what an EULA does but doesn't understand how computers work, is likely the group that writes EULA's.

    --
    Direct away from face when opening.
  8. Re:Why? by ArsonSmith · · Score: 5, Insightful

    Well yea because you wouldn't expect a file cabnet to shred your files.

    On the other hand Microsoft spent years conditioning people to belive that computers just randomly shred your files.

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.
  9. It just makes me shudder... by freshtonic · · Score: 4, Insightful

    ... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.

    From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...

    (That last comment is not meant to be taken too seriously)

  10. Every hole in Windows... by dacarr · · Score: 3, Insightful
    Every hole in Windows seems to constitute the following:

    A buffer overflow can be used to execute arbitrary code

    ...or is that just me?

    --
    This sig no verb.
  11. no way to force you to open a jpeg? by Risto · · Score: 5, Insightful

    "There is no way for an attacker to force a user to open a malicious file."

    This has got to be one of the stupidest things MS has ever said.

    It's called spam!!!
    99.999% of email programs and browsers automatically "open" images for viewing

    We all get spam
    the image can be a logo or something nonsuspicious
    embedded in the email

    So you only have to read the email
    to get infected

  12. Re:Damn It. by echeslack · · Score: 4, Insightful

    I hope now that png, mp3, and jpg decoders have had vulnerabilities people will be a little more careful in the future.

    It isn't necessarily about being careful. If people were that careful about writing all their software, software would take ages to finish writing.

    And even then there would still be security flaws. I think the saying about bugs goes something like "Any non-trivial program has at least one bug." I think the same could probably be said for security vulnerabilities.

    Sure, we probably shouldn't be seeing buffer overflow exploits anymore considering the amount of attention they have gotten, but it isn't necessarily worth it to go back and review all your code just to find one type of vulnerability when others will be found eventually anyway.

  13. Re:Why? by Stevyn · · Score: 4, Insightful

    Yeah exactly. When I saw the grandparent post I slapped my forehead. The EULA clearly states that anything bad that happens to you isn't Microsoft's fault. Most software programs have that same clause in their license. If it weren't for that, Microsoft would have been killed by lawsuits years ago.

    Other industries don't have that luxury though. An ice cream company can't say put a label saying if you die eating our product we can't be at fault. One reason is that the FDA would go after them. Another reason is nobody would then buy the ice cream. But since it's so common in the software industry, people don't think twice about agreeing to the EULA.

  14. Wow, I mean seriously, wow by Ridgelift · · Score: 4, Insightful

    Microsoft rates the flaw "important" for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.

    Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.

    It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?

    Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.

    1. Re:Wow, I mean seriously, wow by swissmonkey · · Score: 4, Insightful

      It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?

      Go compare the number of vulnerabilities in IIS6 and Apache 2, you'll be very surprised.

  15. Re:Personal attack... by Ramses0 · · Score: 4, Insightful

    I started using Linux 5 years ago (hello Mozilla M12 :^). This was -just- before the internet went to hell with email viruses, worms, spyware, etc. I've just recently bought a Mac laptop (so quiet! :^), and a big factor was that I don't want to deal with windows (ever. except at work, where they do the whole managed deployment things).

    Basically: as difficult as it is to work with Linux (even Debian unstable. Vis: Wireless USB thingies, USB thingies in general, Kernel 2.6 upgrade + CDRom burning, etc), that pain is reduced 999x over by not having to run Ad-aware ever 2 hours, and not having to worry about patching the bug of the month that allows remote-root worms. At work I admin a little Debian-stable server because our IT/Unix department is mostly l4me, and have it set up to cron @daily apt-get "search for security updates" and email to our group. Get about 1-2 every other month, and that's with Known, Old software (provably more secure after every security bugfix). I can't imagine running windows for anything important. It's like being in middle-school with a big "Kick Me" sign taped to your ass.

    --Robert

  16. Re:Untrusted data by SpinyNorman · · Score: 4, Insightful

    What'll go a long way to getting rid of buffer overflow exploits is execute-protected memory, which AFAIK AMD currently has, and Intel is playing catch-up to get. Stack/Heap memory is then non-execute enabled, and if you want to do something tricky like generate code on the fly, then you need to get the OS to allocate memory with execute permission set.

  17. Re:Why? by FuzzyBad-Mofo · · Score: 3, Insightful

    Then there's the 5th group, who realize that EULAs aren't worth the paper they're not printed on, but don't feel like wasting their personal fortunes fighting a case against a major corporation over what is most likely small claims. (less than $5000 damages)

  18. Re:MS can afford to defend itself, small bus. can by DAldredge · · Score: 3, Insightful

    Ford, Bank of America, Kodak, Eastman Chemical, DuPont, GE, and other fortune 500 companies are not small and they get sued all the time for minor matters like this. But Microsoft doesn't.

    It's just something to think about. (Like the settle out of court and no one knows about the settlements.)

  19. Re:Fair Play by swissmonkey · · Score: 4, Insightful

    Lets face it ... If the open source community cannot even parse simple PNGS without leaving a security hole why the hell do they claim to be better than Microsoft ?

    If you actually knew what you're talking about, you'd know that the JPEG format is definitely not the easiest file format to support, and you'd also know that coding mistakes can happen everywhere, as witnessed daily in the open source community.

    So instead of going on an unjustified rant against MS because of something that happen daily everywhere, just chill out.

  20. Re:Why? by NanoGator · · Score: 4, Insightful

    "Why doesn't someone sue Microsoft? "

    Because Microsoft didn't commit the crime. The criminal who used the exploit did. It's fun to suggest things that would get MS in trouble, but if they were sue'able for this, every other product in the world that you like would be in danger, including Linux.

    --
    "Derp de derp."