Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flaw in Microsoft JPEG Parsing

Posted by timothy on from the some-sites-have-more-than-others dept.

KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."

21 of 555 comments (clear)

  1. Why? by DAldredge · · Score: 4, Interesting

    If a small company releases a product and people get harmed the lawyers decend like a pack of wolves to sue them.

    Why doesn't someone sue Microsoft? After all people sue companies all the time even if the product in question has warning labels.

  2. Microsoft rolls their own buggy JPEG reader... by Carnildo · · Score: 4, Interesting

    ...Everyone else uses libJPEG.

    Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.

    --
    "They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
  3. this isn't the first image exploit by gnat_x · · Score: 5, Interesting

    there have been lots of image exploits put out there.

    if memory serves there was even a png patch for linux this past summer.

    gif exploits have been around for a while too.

    the real worry here, as with most M$ security releases is how long they knew about it, and whether they waited until SP2 was released so they could say that their new software didn't have that vulnerability.

    microsoft security department, we take orders from marketing!

  4. Untrusted data by ChiralSoftware · · Score: 5, Interesting
    We're going to get burned over and over and over and then we will get burned some more by processing untrusted data (stuff off the net) using any language that has unsafe memory operations. This isn't just a Microsoft problem; we've seen the same problems in zlib (PNG), resulting in vulnerabilities in almost all Linux/Unix apps that handle graphics. We're going to keep seeing these problems until we start handling all unsafe data as if it's got a contagious disease, which means handling it in an isolated environment like a VM.

    ---------
    WAP software

    1. Re:Untrusted data by cthugha · · Score: 2, Interesting

      That'll protect against most, but not all, buffer overflows. What it won't protect against are attacks that overwrite the stack and then write a return address to code that'll treat what's on the stack as arguments that make it do something nasty.

      Note that these attacks are only guaranteed to succeed if the attacker has access to the same binary as you. Building your own binaries with an obscure compiler (or at least different compiler options) may be of assistance here.

      IIRC Intel has always built execute protection into its IA32 processors, unless these contained a bug that caused them to ignore the state of a page's execute flag?

  5. Re:Personal attack... by RocketScientist · · Score: 5, Interesting

    Before that, I told people for years, "No, you can't get a virus from just opening an email". Then the first "outlook virus that spams everyone in your address book" happened.

    Is anything safe? Should I start telling people, "No, actually nothing is safe, and you should just not use the computer if you don't want it infected with something nasty".

    Or just get them Macs.

  6. Re:Not the problem by suckfish · · Score: 2, Interesting

    Blaming the victims for opening attachments is silly.

    If it's that easy to tell the difference between hostile and benign content, then the differentiation should be done in the application in the first place. If programmers aren't up to doing this, what chance does Joe average user have?

    Oh, wait, the programmers did do it, just not the ones that work for M$.

  7. Re:Users of WinXP SP2.. by DigiShaman · · Score: 2, Interesting

    Wouldn't SP2 running an AMD 64bit be safe? I though the No Data Execute feature was supposed to prevent this kinda shit from happening.

    --
    Life is not for the lazy.
  8. Pain in the ass to update by SilentChris · · Score: 4, Interesting

    While normally I shrug off most Slashdot anti-MS FUD, I've got to admit, this one's going to be a huge pain in the ass to rollout.

    Normally, I just read the whitepapers, run a test on a workstation then rollout a Windows update using the free SUS server. This one, I'm going to have to rollout the update (just for XP SP1 users), figure out an update plan for Office, figure out who actually uses those image programs, etc.

    And here's a question: SP2 isn't affected. Why didn't they rollout this fix in SP1 *before* rolling out SP2, if they clearly knew it needed fixing. Most companies I know (mine included) are in the middle of testing SP2 migration plans. This adds another wrinkle to the whole process.

  9. Why doesn't someone sue LINUX? by Anonymous Coward · · Score: 1, Interesting

    Before you get too high and mighty, check this article from just 4 days ago.

  10. more interesting than you think by kiskoa · · Score: 3, Interesting
    Managed code - in this case .NET - is inherently secured against buffer underruns and code injection, until the VM or and the external components used by the framework do not have buffer underrin bugs.

    And that's just what happened. .NET Framework is heavily dependent on GDI+. Now you can use a managed software to hack the system.

    --
    If Yoda so strong in Force is, why words in right order he cannot put?
  11. Go No Execute Bit! by LordSah · · Score: 2, Interesting

    If you've got SP2 and an AMD64 chip, this is one great reason to use the no execute bit. I'll assume GDI+ won't mark picture data as executable.

  12. Re:Just plain crappy by Saige · · Score: 3, Interesting

    Nothing has changed in the way applications are programmed that now allows this to happen. What has happened is that people have just become more skilled in manupulating such situations. The possibilities were always there, it's just been more recent that people have been able to take advantage of them - and made such errors more visible.

    --
    "You know your god is man-made when he hates all the same people you do."
  13. Re:Not the problem by Gooba42 · · Score: 2, Interesting

    Or maybe inject one as an Ad somewhere?

    Most people don't know how to turn off images in their browsers much less why they would want to do so.

    --
    I just found out there's no such thing as the real world. It's just a lie you've got to rise above. - John Mayer
  14. I'm sick of this by Chuck+Bucket · · Score: 2, Interesting

    I haven't run windows at home for 2 years, but I still have to talk to my mom, and her neighbors 1000 miles away cause they have Dell's with XP! regardless of what I've done from here their machines just get overrun with viruses or trojans. I've installed spybot, they have Mccafee running (supposedly) and now this.

    I really wish my mom would get broadband so I could install/admin linux from here.

    BC

    --
    free ipod and free gmail!
  15. Re:Damn It. by HawkingMattress · · Score: 4, Interesting

    So you really think it's that simple ?
    Your code is probably full of security holes, just like everybody's, and the fact that you think it's so simple is a clear evidence...
    Look, even Knuth was so certain that his code could not possibly be bugged that he promised a prize for the persons who would find bugs. And still, some were found. And we are talking about a program that was mathematically provable, and made by the living god of computer science, damnit !
    And you think that your code, which is sitting on dozens of layers speaking to each others in your back, and made with a high level language, cannot possibly have an unknow bug which could cause a security hole ?
    If so, then you're a security hole yourself.

  16. Is that the Windows splash screen? by solprovider · · Score: 2, Interesting

    (See the link in the parent post.)

    My first thought was that Time was exposing that Microsoft is behind/inside/running the US government.

    Then I read the captions, and it's just something about how our borders are still open. Yeah, we're still the free country. No, our fight against terrorism is losing. Yay, we still have rights. No, we want the government to take those rights away. Yay, bring us your poor and tired, or at least they will be once they start working our overtime crazy schedules. No, I am not reading Time magazine to discover how they slanted it; I'd rather read Slantdot.

    But watch out! That image of the magazine cover is a JPEG. Time magazine could be taking over your computer. (Pretending that anybody reading Slashdot is still using MSInternetExplorer.)

    --
    I spend my life entertaining my brain.
  17. Re:This post is only directed towards Todd Walters by nuttyprofessor · · Score: 2, Interesting

    I am not Todd Walters, but does anyone know
    ****HOW**** code embedded in the image
    gets executed?

    No one is giving any technical details.
    Toooo much ****NOISE****, not enough ****INFO****.

  18. Re:Damn It. by JamieF · · Score: 2, Interesting

    Real Programmers do make mistakes. However, they don't ship code with great big galloping bugs that a quick code review or many many code analysis tools could have found.

    In Knuth's case, he didn't say "I bet $100,000,000,000 that nobody can find a bug!". He created an incentive for people to review his code for bugs. There's a big difference.

  19. The MS Bulletin by ManuelKelly · · Score: 3, Interesting

    This is real nasty. It looks like most versions of office as well as MS Works since 2000 are affected. See the Security Bulletin Any random word document with an infected embeded jpg is a transfer vector.

  20. Open source jpeg libraries? by cpghost · · Score: 2, Interesting

    Isn't it a reasonable assumption, that MSFT is using open source JPEG libraries just like anyone else? Shouldn't we audit libjpeg now, just to be sure?

    --
    cpghost at Cordula's Web.