Slashdot Mirror
Flaw in Microsoft JPEG Parsing
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
...you obviously never saw goatse...
Give me a job. Please?
If a small company releases a product and people get harmed the lawyers decend like a pack of wolves to sue them.
Why doesn't someone sue Microsoft? After all people sue companies all the time even if the product in question has warning labels.
(Glad I stuck with IE 5.01 sp3 on NT)
Man...talk about attack vectors. This would make a killer (as in bad) worm.
IM
Email
Browsers (probably several)
Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.
As usual, the writers of the "mitigating factors" section don't seem to have much imagination.
Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.
Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?
The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.
Are not affected, unless they have Office installed.
and i was always telling everyone from the start, download your porn in png format.
Marge, get me your address book, 4 beers, and my conversation hat.
...Everyone else uses libJPEG.
Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I've been telling people for years "no, you can't get a virus from things like a JPEG picture. You're fine."
Now this. Considering how many bugs are reported in all version of MS software, it is entirely possible that there are PERSONAL bugs. "This one is for Charles. Let's fuck with him."
Sigh...
-Charles
Learning HOW to think is more important than learning WHAT to think.
The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector". Sanction: exile from use of any computer, writing utensil or paint brush for 10 years.
Call me old school, but remember back in the day when opening e-mail was ok, and that executable attachments were what we watched out for? Images were ok, MIDI files were ok, and a bit later, even MP3 files were ok.
Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.
Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
there have been lots of image exploits put out there.
if memory serves there was even a png patch for linux this past summer.
gif exploits have been around for a while too.
the real worry here, as with most M$ security releases is how long they knew about it, and whether they waited until SP2 was released so they could say that their new software didn't have that vulnerability.
microsoft security department, we take orders from marketing!
---------
WAP software
They should forget about Internet Explorer and try thier hand on a different line of sofware...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Don't worry folks you can still get your pr0n with out getting a social dease...
www.asciipr0n.com
Who said looking at Pr0n was safe?
I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
This exploit has been around for at least two years. I've heard of people getting owned through AIM direct connections in particular. While I'm sure it would be fun to play around with, I suspect most programs wouldn't be vulnerable anyways (Microsoft products aside).
... you think?
"The dew has clearly fallen with a particularly sickening thud this morning"
You fool! Everybody knows that pr0n messes up your computer!
pfft...maybe now they'll fully support AOL's .art files. Serves them right.
*ducks*
If you think
The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector".
You're right, I should have said "Airpwn could leverage the synergies of this vulnerability and streamline the deployment...with or without interactive buy-in by stakeholders"
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
While normally I shrug off most Slashdot anti-MS FUD, I've got to admit, this one's going to be a huge pain in the ass to rollout.
Normally, I just read the whitepapers, run a test on a workstation then rollout a Windows update using the free SUS server. This one, I'm going to have to rollout the update (just for XP SP1 users), figure out an update plan for Office, figure out who actually uses those image programs, etc.
And here's a question: SP2 isn't affected. Why didn't they rollout this fix in SP1 *before* rolling out SP2, if they clearly knew it needed fixing. Most companies I know (mine included) are in the middle of testing SP2 migration plans. This adds another wrinkle to the whole process.
Before you get too high and mighty, check this article from just 4 days ago.
PNG is designed for compressing cartoon images. Though a lot can be found on the various hentai newsgroups and alt.binaries.pictures.erotica.disney, not everybody is into that.
Before you get too high and mighty, check this article from just 4 days ago.
sounds like you've got ad-ware.. is this on IE? if so then nothings off-limits, if not IE then thats just weird..
This comment does not represent the views or opinions of the user.
You don't allocate a buffer of fixed length unless you're lazy. You find out how long the input is, allocate a buffer big enough to fit then move the input to the buffer. When you're done you deallocate the buffer. Simple, safe and easy. I guess Micro$oft coders never learned how to practice safe hex.
Good, inexpensive web hosting
Microsoft made it possible.
When you assumed you couldn't get attacked by loading a web page?
Microsoft made it possible, too.
When you sweared you couldn't get infected just by receiving e-mail?
Microsoft made it possible, again.
And now, by the very same people who gave you all that...
The JPEG parser vulnerability!!!
God, this company has really brought innovation to the industry!
Before you get too high and mighty, check this article from just 4 days ago.
Try getting the patch without using Windows Update. Can be done, but they don't make it easy. No help here
Update's too slow over dial up, and Comcast and Qwest already get too much of my money.
Never let a lack of data get in the way of a good rant.
... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.
From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...
(That last comment is not meant to be taken too seriously)
I Told You So.
BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.
Ohh man I hope the first virus/worm/trojan based on this has is named after an STD.
I was surfing porn and got herpies.
That would be soooo funny.
Paying taxes to buy civilization is like paying a hooker to buy love.
A buffer overflow can be used to execute arbitrary code
This sig no verb.
Is there anykind of a browser plug-in I could use to deciper steganographically enhanced JPEG images that might just come over plain old unsuspicious unencrypted http?
GIFs were evil, PNG support lacked transparency, now JPEGs can cause buffer overflows - I'd say that IE has an image problem... Excuse me while I just run away now.
"Provided by the management for your protection."
And that's just what happened. .NET Framework is heavily dependent on GDI+. Now you can use a managed software to hack the system.
If Yoda so strong in Force is, why words in right order he cannot put?
"There is no way for an attacker to force a user to open a malicious file."
This has got to be one of the stupidest things MS has ever said.
It's called spam!!!
99.999% of email programs and browsers automatically "open" images for viewing
We all get spam
the image can be a logo or something nonsuspicious
embedded in the email
So you only have to read the email
to get infected
Looks dangerous...
~G
(sorry couldn't resist)
...when it gets down to fundamentals, do what you have to do and shed no tears. Dr. Matson in Tunnel in the Sky
So the next Anna Kournikova virus will actually be a picture of Anna Kournikova
On Microsoft products, porn screws YOU!
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
I hope now that png, mp3, and jpg decoders have had vulnerabilities people will be a little more careful in the future.
It isn't necessarily about being careful. If people were that careful about writing all their software, software would take ages to finish writing.
And even then there would still be security flaws. I think the saying about bugs goes something like "Any non-trivial program has at least one bug." I think the same could probably be said for security vulnerabilities.
Sure, we probably shouldn't be seeing buffer overflow exploits anymore considering the amount of attention they have gotten, but it isn't necessarily worth it to go back and review all your code just to find one type of vulnerability when others will be found eventually anyway.
GMail invites for completed freeipods.com of
A while ago, there was a source leak and someone found a vulnerability in the BMP shell. Is this related to the same thing?
A NYC lawyer blogs. http://www.chuangblog.com/
If you've got SP2 and an AMD64 chip, this is one great reason to use the no execute bit. I'll assume GDI+ won't mark picture data as executable.
Microsoft rates the flaw "important" for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.
Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.
It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?
Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.
Ruby on Rails Screencast
So all those times you told your parents/friends that looking at images was safe - well, not anymore."
If there was a way to do it wrong, Microsoft seems to have found it.
A feeling of having made the same mistake before: Deja Foobar
Many years ago, back when operating systems were worth using, processing an invalid data file would cause the processing to stop or the application to crash, at worst.
When did applications become so slipshod that a error in the data stream can turn into executable code? I realize this sort of thing comes out on Linux, as well. It always makes me wonder how long this has been sitting in someone's 0-day folder and being used on the unwitting populance.
They say that most exploits are of already acknowledged vulnerabilities. Why does no one acknowledge that, if a black hat is good enough to find a bug they haven't, the black hat is also good enough to cover his trail while he's pwning everyone?
+++ATHZ 99:5:80
So, this is probably an obvious question, but hell, let's get it out there...
Does this affect Firefox?
vk.
This is bad...Very bad... I usually am not an alamist, just keep things up to date and everything will work out. This allows some many routes of exploitation - just wait for the script kiddies to work their magic.
If religous zealots don't believe in Evolution, then why are they so worried about bird flu?
s/Microsoft/Government/
You hear a tinny voice off in the distance say, "That's not a bug, that's a feature."
A feeling of having made the same mistake before: Deja Foobar
Sp2 is not affected. It smells like the new compiler switch avoided the flaw. One more reason to install SP2 to your friends & parents...
"No program is perfect,"
They said with a shrug.
"The client is happy!
What's one little bug?"
But he was determined.
The others went home.
He dug out the flowchart,
Deserted, alone.
Night passed into morning.
The room was cluttered
With memory dumps, microfiche...
"I'm close!" he muttered.
Chain smoking, cold coffee,
Logic, deduction...
"I've got it!" he cried.
"Just change one instruction!"
Then change two. Then three.
As year followed year,
Strangers would comment,
"Is that guy still here?"
He died at the console
Of hunger and thirst.
Next day he was buried
Face down, nine edge first.
His wife, through her tears,
Accepted his fate,
Saying, "He's not really gone -
He's just working late."
that's funny, my college professor said the same thing about masturbation...
the big question is - "is there a link?"
Who's with me?! I SAID... WHO'S WITH ME!!??
So first, I can't have sex, because there's no such thing as safe sex.
...and with that, I hide.
Now I can get a virus from downloading porn!?
Next you'll be telling me that I can't watch VHS tapes, because they'll inject malicious things into my proprietary bits.
It's only an insult if it's not true.
Bad guess. I first started programming in 1969. Back then, the way to avoid buffer overflows was to put your buffer at the end of the program so there was nothing to be overwritten. Not really practical today, of course, but the basic idea of protecting your code from overflows if you can still applies.
Good, inexpensive web hosting
He doesn't want to know. He's looking for a Todd Walters.
:-)
Nice try for a troll, but you might want to spell your own name correctly next time....
Well, at least you can rest assured that, at the worst, it's your *computer* that gets infected with a computer virus, not you yourself with a biological virus ...
Hang on, I just noticed a web site with this news: "Microsoft announces new feature in WinXPhorn Avalon.NET OutlookPoint 2006: automatic administration of cholera vaccine simply by clicking on the VACCINATION button (requires use of new Fingerpoke Mouse hardware with Embedded Injection Technology from Microsoft)."
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
ASCII pr0n all the way!
Is doing anything online 100% safe anymore? Hell, just being online and doing nothing isnt even safe..
Brave new world.. Sux..
This is what happens when you have more complex systems then is reall needed just to have an extra feature to get people to 'upgrade'..
---- Booth was a patriot ----
ISBN 0-7645-4468-3
Privacy is terrorism.
I guess thats why people doing science research are no longer paying programmers.
Ahhh, what we have here is a bitter old man jealous of those with CS degrees.
Regexp on binary data? Good luck.
Preparse the data? What if your preparser has the flaw?
I guess when hacking your little math programs and Perl scripts you don't get much exposure to large projects. Build your doghouse and criticize the skyscraper architect.
The open source libjpeg that just about all open source software depends on has had its own share of problems.
It's good to see that file parsers, not something that traditionally recieves the degree of scrutiny that network-facing server code gets, are being examined for security vulnerabilities, though.
May we never see th
anyone know?
2 years and no mod points. Join reddit. Because openness is good.
I haven't run windows at home for 2 years, but I still have to talk to my mom, and her neighbors 1000 miles away cause they have Dell's with XP! regardless of what I've done from here their machines just get overrun with viruses or trojans. I've installed spybot, they have Mccafee running (supposedly) and now this.
I really wish my mom would get broadband so I could install/admin linux from here.
BC
free ipod and free gmail!
Microsoft Security Bulletins RSS feed, to receive notifications of new patches ASAP
MBSA and HFNetChk, automated tools to check if your system is up to date (see also the qfecheck command to check the status of installed patches)
Windows Update: analyze and update your system from a web page
Microsoft Systems Management Server (prices and licensing), a solution for the management of Windows networks. Comes with support for automated deploying of patches
Make a difference - use Windows! (open source clone of Windows NT)
Time to hack a jpg on msn and hotmail to trigger downloads of Firefox and Thunderbird.
http://www.microsoft.com/security/bulletins/200409 _jpeg_tool.mspx
I guess you cant say that it's safe to look at porn anymore!
Patent: from Latin patere, to be open
To the masturbation?
So you really think it's that simple ?
Your code is probably full of security holes, just like everybody's, and the fact that you think it's so simple is a clear evidence...
Look, even Knuth was so certain that his code could not possibly be bugged that he promised a prize for the persons who would find bugs. And still, some were found. And we are talking about a program that was mathematically provable, and made by the living god of computer science, damnit !
And you think that your code, which is sitting on dozens of layers speaking to each others in your back, and made with a high level language, cannot possibly have an unknow bug which could cause a security hole ?
If so, then you're a security hole yourself.
"nine edge" is the bottom of an IBM punchcard. had to load them "face down nine edge" first into the reader...
"..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet."
That whole last post was good, but that end part! Denying a charge of buzzword abuse like that; it's beautiful! Bravo, and well done.
There are 01 kinds of cars in the world. The General Lee, and everything else.
Both vulnerabilities mentioned within the article have already been fixed by all major Linux distributions. Replacement of the vulnerable library packages is easy to do and does not impact any of the software that depends upon those libraries. Linux is inherently more securable than Microsoft's desktop environment and applications.
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
:P
Just you wait until there's a paradigm shift; all of the sudden, you'll have to be proactive and think outside the box and you'll say to yourself, "Who moved my cheese?"
Use one for important stuff, and the other to surf...
And make sure they knwo to expect to be hit and have to reload their 'web' comptuer often...
---- Booth was a patriot ----
One mitigating factor some of these news articles are omitting (and I just noticed): the JPEG parser runs with user permissions. So, a user can hose their directory instead of the entire system, assuming it's configured correctly.
Small consolation for home users, I know, but at least I won't need to worry as much for my domain users. I don't trust them with jack, and they're given the lowest permission level available above "computer completely turned off".
The actual updates are here:
n /ms04-028.mspx
http://www.microsoft.com/technet/security/bulleti
Windows Update wants you to download Windows XP SP2, which I'm not ready to do.
Avoid messy Windows and Office Updates and get what you need directly...
n /MS04-028.mspx
.NET framework are vulnerable too. Talk about multiple attack vectors!
http://www.microsoft.com/technet/security/bulleti
Note that you may have to patch SEVERAL microsoft products. (E.g., you need separate updates for IE6 SP1, VS.NET 2003, Office 2003...)
Note also that if you are running IE6 SP1 on *any* OS, you are vulnerable according to the bulletin.
Some versions of the
I tried updating Visio and Office. Both of the security update procedures insist on you inserting the exact same version of the installation CD that you used originally, otherwise they fail.
In my case, I have the disks from later versions of both products and these were rejected. (I think this NT-2000 installation was from a corporation that dropped dead a year ago and I never bothered reinstalling Office and Visio on top of the already existing installations.)
This means people who "borrowed" CDs for these two products are potential big fat targets.
Bill Gates gets to make another 10 billion dollars.
...knowing that my mail client doesn't even load images -- it just strips down all that HTML mess to plaintext. I never trusted pretty emails.
Honestly, looking at something like emails -- what does all this "meta deta" add that isn't available from plain text information content? Want a hyperlink, spell out its URL. Want some lines? Play around with hyphens. It's really not so bad, and so so much less dangerous.
(See the link in the parent post.)
My first thought was that Time was exposing that Microsoft is behind/inside/running the US government.
Then I read the captions, and it's just something about how our borders are still open. Yeah, we're still the free country. No, our fight against terrorism is losing. Yay, we still have rights. No, we want the government to take those rights away. Yay, bring us your poor and tired, or at least they will be once they start working our overtime crazy schedules. No, I am not reading Time magazine to discover how they slanted it; I'd rather read Slantdot.
But watch out! That image of the magazine cover is a JPEG. Time magazine could be taking over your computer. (Pretending that anybody reading Slashdot is still using MSInternetExplorer.)
I spend my life entertaining my brain.
Because the small company can't afford to defend itself, Microsoft can. Some lawsuits are filed with the intention of settling for something less than what the defendant would have to pay to successfully defend themselves. Even when a small business is in the right they have to settle because it will cost less. When a company has enough resources, money or lawyers on staff, they will vigorously defend all lawsuits even when doing so costs more than a settlement would. This is to deter lawsuits where the plantiff knows they have no case.
I was gonna say something like "well at least it's good to see that Microsoft is reusing code!" but if you have to separately update each application, that's pretty lame. They get all the benefit of reuse but you still have to install redundant binaries all over the place?
Why isn't there just a shared library (or two or three, if there are incompatible versions) that needs to be updated at an OS level, fixing everything that links to it?
Lets face it ... If Microsoft cannot even parse simple JPEGS without leaving a security hole why the hell do they have the position they hold in the marketplace today ?
.. they just make a product... The evidence is out there time and time again. YET! people still deploy it! you have to be blind (or damn stupid) to reccommend M$ as a safe platform on which a business depends. Why do people beleive it is "The best solution?" ? it beats me! (yay! employ me, I will reccommend to my boss a platform that is proven to be full of security holes, is unstable and is a sitting target for exploits)? Id be ashamed to reccommend M$ to anyone who employed me as a techie.
Microsoft != Security folks...
it might be marginally more freindly than Selected Choice Opposition, but the end of the day you have to question the people who chose to deploy M$ solutions. Dont Blame the boys in Redmond!
M$ depend on ignorance and bribery and FUD supllied to (stupid)systems people, I dont know a single M$ user that actually trusts the platform that they use, no matter how much they feel indebted to it!( they still get pissed of with it!) even if they are showing of their P4 HT 4ghz uber-spec system! Even joe sixpack hates those pop-ups and needs to call on geek friends to remove spyware! M$ is just shit point blanc! The only people that can be absolved are the "non-technical" people that simply assume, thats "just the way it is" accept it because they dont know otherwise.
I dont care how many anti-this, anti-that troll's and zealots there are. At the end of the daty there are people making decisions out there based on pretty pictures and not on proven facts.
The fact of the matter is that in black and white is if security, stability and cross-platform compatibility matter to you, M$ is not an option, it doesnt even enter the equation. Would you own up to reccommending M$ ? and on what grounds ?
Nick...
Electronic Music Made Using Linux http://soundcloud.com/polyp
That is the most laughing I have ever done in my 4+ years on slashdot. This post should be a (+12) funny. Damn. Im still chuckling. Thanks, anonymous AC.
Ford, Bank of America, Kodak, Eastman Chemical, DuPont, GE, and other fortune 500 companies are not small and they get sued all the time for minor matters like this. But Microsoft doesn't.
It's just something to think about. (Like the settle out of court and no one knows about the settlements.)
This happens to you when you don't pay the appropriate licensing fees!
Hotmail does not automatically download images if you access it using Mozilla without "Accept all images". Even MS's navigation graphics do not appear using "Accept images that come from the originating server only" because the URLs for the images contain the IP Address!
---
I am still wishing Mozilla would add the ability to easily add domains/server/paths to the "Allow" list for image permissions. I am using Mozilla 1.6, so it is possible they figured out a better UI (by reading my posts?) to improve it in a more recent release. Without a good UI, functionality does not matter. Mozilla's 9 clicks to view a picture is excessive. (I just spent 5 hours designing a dialog box that has one set of radio buttons and one set of checkboxes. Now I have to make the functionality work.)
---
Somebody else already asked, but there were no answers. Does anybody know if Mozilla on MSWindows could be susceptible to this bug?
I took this news report as an opportunity to remind my friends and family to use Mozilla. Some of them are using Mozilla on MSWindowsXP. I told them they are safe from THIS Microsoft bug. Did I lie?
I spend my life entertaining my brain.
Real Programmers do make mistakes. However, they don't ship code with great big galloping bugs that a quick code review or many many code analysis tools could have found.
In Knuth's case, he didn't say "I bet $100,000,000,000 that nobody can find a bug!". He created an incentive for people to review his code for bugs. There's a big difference.
LRC, the best-read libertarian site on the web
Pwned? What kind of kiddies come up with this stuff; that's not even pronounceable.
I think the idea is supposed to be that the target is so "owned" that the letter "o" is insufficient for the task and is incremented by one to a "p."
AFAIK it's still pronounced as if the first letter were an "o." Perhaps the speed at which the "ownedness" increases to the point of incrementing the first letter is so great that the pronounciation lags behind, like the shockwave wake of a supersonic aircraft.
"...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
I Googled Bush and got crabs.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Oh, if I only had mod points!
There: Something at a specific location.
Their: Owned by someone.
Please make sure your english compiles.
Check out Chad's News
I've been telling readers of my nontechnical security blog (http://www.berylliumsphere.com/security_mentor) to "stay out of bad neighborhoods". Obviously there's residual risk: legitimate sites do get compromised, eBay doesn't control the uploaded pictures, and so on. But there should be some risk reduction from avoiding warez/porn/spamvertised places.
Long term we may need to sandbox web and mail clients.
>Or just get them Macs.
May or may not help. It wasn't long ago that OS X had a remote compromise from visiting a web page. OS X has good DNA but it's also had less testing/debugging from bad guys. The big advantage of a Mac today is like wearing camouflage: you don't have to be bulletproof if nobody shoots at you.
Unfortunately that doesn't protect against exploits recoded as return-to-libc exploits.
This is real nasty. It looks like most versions of office as well as MS Works since 2000 are affected. See the Security Bulletin Any random word document with an infected embeded jpg is a transfer vector.
If you have Win 98, IE 6 needs patching.
I just did Windows Update from Win98SE.
Performance rating - ms windows Listen to music insecure + Look at pictures insecure + Read a document insecure = Keep windows on insecure If there is no use of windows anymore then, Remedy is: No windows - only doors and walls please. Close windows.
Watch out for next week's critical flaw in MS Hello World.
Next vulnerable file format is ASCII text file
Just FYI, this is one of the greatest add-ons for Outlook. It allows you to completely disable HTML for incoming messages (which, in turn, lets you turn back on the PREVIEW pane!).
Further, you can specify precisely what extensions are to be trusted -- useful if you frequently email database files or other "forbidden" files to co-workers. While you can also do this with a registry hack, having it as an option panel in Outlook is nice.
BUT WAIT, THAT'S NOT ALL! It also allows you to minimize Outlook to your system tray when you minimize the window -- nice if you like to keep Outlook open all the time, but don't like it taking up valueable space.
It's also free, though it's so damned useful I suggest you donate some cash to the guy. Disclaimer: I don't work for the guy, I don't know the guy, but I love the software and have installed it on every networked machine at my office. It rules.
Once again, download it here.
sounds like you've got ad-ware.. is this on IE? if so then nothings off-limits, if not IE then thats just weird..
Both times Mozilla on FC2, on two different machines with two completely different networks.
I stole this Sig
From the advisory:
The JPEG parsing engine included in GDIPlus.dll contains an exploitable buffer overflow. When a specially crafted JPEG image is accessed through the Windows XP shell, a buffer overflow occurs potentially allowing an attacker to run arbitrary code on the affected system. Due to the pervasiveness of the affected dll there may be other vulnerable attack vectors.
For the full advisory please see: http://lists.seifried.org/pipermail/security/2004- September/004765.html
Set one of these JPEG files as your avatar in MSN Messenger, and hack your whole contact list at once!
Karma: It's all a bunch of tree-huggin' hippy crap!
...for different products.
Microsoft development -- who says you can't build quality products with ctrl-c / ctrl-v?!
I always kind of thought that it meant pawned...similar to owned, but even more derogatory?
-Ben
so it doesnt require the CD. Yeah, I have mine - somewhere. Its not like I'm a heavy office user. Now ask your typical technophobe where her or his CD is. Especially for a computer thats a couple years old and everything came pre-installed.
Their Office Update implementation is even worse than you think. Lets say I have Office 2000 Small Business. Great, that disc won't work if the original install was Premium or any other version. Even Office 2000 SR-1 discs wont work with Office 2000. Come on, the binaries can't be that fucking different.
Officeupdate should be moved into windows update and MS should figure out a way to do these updates without a CD and still keep the download manageable. Heck, they dont even really do that, do they?
We spend all this time doing MS's work for them. Telling people about Automatic Updates, etc. Its only a matter of time before there is a new batch of Word and Excel based viruses (not to mention visio).
There are a lot of holes in Office. Lets see, the recent wordperfect converter expoit and the jpeg exploits are both buffer overruns. So even if you got the latest service pack after install (like I usually do) these two are just waiting to be abused and sadly people think automatic updates takes care of all this.
...small claims court? Cost you maybe 25 clams or something filing fee, and no one can have a lawyer in court. Challenge the dang EULA if you want. I think one way a challenge could come from is you can't sign a contract that gives up any of your rights,so the contract becomes null. Challenge even if you are just renting the software to use it, it says on the box "operating system", contains a browser and an internet/network connection as part to it. Do these things qualify as suitable for a purpose? In the EULA they claim they aren't, but on the box they sure say they are, else they wouldn't be called that. which is it then, which is the one the customer really sees, what do they advertise oin the box?
Do these products function? At best only intermittently. Is it suitable to use on the internet? Absolutely not, not as shipped they don't.
I honestly don't know if anyone has ever done it, who knows, maybe it would work. Do you have documentation for lost time, lost business, additional cost and expenses, etc? You'll need that paperwork as well.
Imagine a few hundred thousand small claims cases were microsoft (someone to be determined obviously) had to show up and defend themselves, and without a lawyer with them. Would be a hoot!
Anyway, I think it's time, if software can be profitted from,if software can be granted a patent as a product, it should be treated like any other product, it needs warranties like any other product has. Less releases, sure, probably happen. Better quality, most assuredly. I fail to see the problem in that. It would force PHB and marketing weasels into doing what I see developers claim they want all the time anyway, not ship something until it's done.
Are any other meat space products "perfect"? Nope. But good enough that every other business seems to be able to deal with it. It's time the software "industry" got forced into legally growing up, IMO.
...the color scheme of it.slashdot.org.
2 226226
http://shit.slashdot.org/article.pl?sid=04/09/14/
because thrashing Microsoft is more fun.
Ford, Bank of America, Kodak, Eastman Chemical, DuPont, GE, and other fortune 500 companies are not small and they get sued all the time for minor matters like this. But Microsoft doesn't.
...". Microsoft with its huge cash surplus can afford such resources. Were the companies that you list sued at their peak and did they settle or fight when they were at their peak? If they settled was it in the distant past before these nuisance lawsuits became a plague?
Were they settling nuisance lawsuits that would not have been won?
Size does not necessarily correlate with the ability to defend oneself. A large company can be in a very bad financial state and not have the necessary resources. Again, "When a company has enough resources, money or lawyers on staff,
Average laymen program transputers?
If you could make it work through the browser/email client. Embed something labelled as "kiddy pr0n" and then doing something like email the IP address and a listing of JPG/avi/mpg files that aren't in temp internet files (I'm guessing some would have nice filenames indicating whether the person was actively a KP downloaded or accidental).
No - to goatse.cx!
.
/plp56/ - Another interview, this one with a French man who some have claimed to be the Goatse Man. WARNING! This page contains pornographic material similar to that at Goatse.cx. /index .htm - Photographs of a man named Kirk Johnson, who some claim to be the Goatse man. WARNING! This page contains pornographic material similar to that at Goatse.cx. .jpg - Kirk Johnson's "Lensman" photograph. The image is also on the detroithardcore.com main page.
Here you go!
From Wikipedia:
WARNING! All of these addresses lead directly to the pornographic image described above.
The website is available from at least six other locations, all of which are still up:
http://hick.org/goat/ also http://198.247.175.96/goat/
http://retropay.com/g oatse/goatse.cx/
http://web.archive.org/web/20030 623201150/http://g oatse.cx/
http://synflood.at/mirrors/goatse.cx/
http://www.goatse.org/mirror/
These sites have the same contents as Goatse.cx before it went down.
Another mirror, apparently from an older version of the site, is available at http://goat.cx/ The GNAA states that it operates that site [1]
http://goatse.cc/ and http://notyet.goatse.cc are the same except for the two links in the "Receiver" section. (Johnnyversace.com)http://johnnyversace.com) and Boards.ie are linked to instead of Urinal Poop and Dolphin Sex.)
http://www.rokbom.com, which is a "front page" for a personal website (http://rokbom.com/index.php, linked by an additional "Rokbom" link). The receiver page lacks the "merchandise" string that the current version has, suggesting that the front is a mirror of an older version of goatse. The modified contrib section has the text "A small request: SUP XXX JASON IS THE RECEIVER" in addition to other content, and the text "Our first Christmas present: A collage from the people at holyzoo.com! Thank you!" is present, unlike in the current version of Goatse; the image is on both sites, however.
http://www.goatse.ca, which only has the "Receiver" section. Instead of Dolphinsex and Urinal Poop, the text "Fight Censorship!" is below hello.jpg.
http://www.lagnet.co.za, which only has hello.jpg and the text "I SUBSCRIBED TO TELKOM'S ADSL AND LOOK WHAT HAPPENED TO ME!!!"
External links
http://goatse.cx/ - Leads to the notice of the domain suspension.
http://www.supa-gangstaz.tk - Redirect to goat.cx that also spawns numerous popups with hello.jpg.
http://hick.org/goat/index-orig.html - The Goatse page at a new location. WARNING - This leads to the picture described above.
http://www.hick.org/goat/mail.html - "Feedback" subsection with reader email selections. This page does not contain pornographic images.
http://www.hick.org/goat/contrib/gap.zip and http://www.exet.nu/html/bildarkiv/goatse.shtml - Links to gap.zip
http://www.hick.org/goat/loopback.jpg - The loopback.jpg picture. WARNING - This leads to pornographic material
http://www.hick.org/goat/contrib/hello.m pg - The hello.mpg movie. WARNING - This leads to pornographic material
http://www.roflmao.com/hatejob - A redirect to Goat.cx
http://www.stileproject.com/ - located the complete image set. WARNING! This site contains pornographic and potentially offensive materials.
http://www.fc-uk.org.uk/goatse/index.h tml - A satirical fictional interview with Bob Goatse.
http://www.bmezine.com/news/people/A20210
http://mjt.nysv.org/ - has a goatse tribute section.
http://sam.zoy.org/fun/goatse/ - has a comprehensive goatse tribute section with many well-known (and many lesser-known) photoshoppings of the images from the site
http://adult.pornparks.com/rosebutt/kirk/001
http://www.detroithardcore.com/lensman
See the official complaint (PDF) by an individual named Rhonda Clarke [2] , the official note (PDF) to the domain's registrant and the current state of the
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Porn makes my computer go blind
Table-ized A.I.
I'm just a Java programmer, but --- well, reading an "image" is just piping an input stream into a decoder object that would return a graphic object.
Nowhere in this process could I imagine anything that would necessitate executing any data that might be an instruction.
Read byte x, that is the red value for a specific pixel.. (I understand Jpeg is more complicated than this).. How could that "x" be a "format c:" DOS command?
-*-
hitting bottom never felt so good
Apparently they should have known about this, there's no other logical explanation for this :)
Anyway just goes to prove how underhanded MS really is . ("We already have a patch")
Quidquid latine dictum sit, altum videtur
Of course we think of things but it is never possible to think of every possible scenario when you are punching out applications with hundreds of thousands lines of code
Well you better damn well think of the possibility of overflowing the memory if you're writing any program, let alone a library function that is called by at least 10 of your most-used programs, and let alone a function that's probably less than fifteen lines long. I mean, overflowing the memory causes problems to the computer regardless of whether it's a virus or not.
A corrupt file should not take down the entire program. A corrupt file should display garbage or nothing at all.
Arrrr. RIAA "patched" my left eye, MPAA is out for the right.
Analogies don't equal equalities, they are merely somewhat analogous.
It is my first one. I hope you to like it.
I see .Net is affected, you can't really be safe from overflows when much of your system is based on a foundation with so many holes...
.Net, .Net sseems to have similar security features but a lot more of its library code is going to be vulnerable to things like this as it makes heavy use of OS features.
This brings up a very real point that Java is really more secure than
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I can't imagine running windows for anything important. It's like being in middle-school with a big "Kick Me" sign taped to your ass.
:-)
I think you are pretty close, except that the sign is taped in the front.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
There's an old bug in Win2K which allows a buffer overflow in the kernel via a suitable .BMP file.
There's a lossless compressed form of .BMP files called RLE, for run length encoding. For some stupid reason, there's a decompressor for these things inside the Win2K kernel. Malformed .BMP files can cause a buffer overflow and system crash. This could probably be exploited into an attack.
On a completely and totally unrelated topic, does anybody know where I can buy lots of banner ad space in bulk?
- A picture is worth a 1000 worms
I bet this vulnerability was discovered about the same time the similar BMP privilege escalation buffer overflow was discovered reading alleged Windows NT source code. "Gee, if BMP is handled so badly, let's attack JPEG, PNG, GIF, TIFF,-- @rjamestaylor on Ello
Isn't it a reasonable assumption, that MSFT is using open source JPEG libraries just like anyone else? Shouldn't we audit libjpeg now, just to be sure?
cpghost at Cordula's Web.
I always assumed it was a deliberate type, much like the use of the 'teh' instead of 'the'.
"If being a geek means being passionate about something, then I pity those who aren't geeks." - Pike65
And even then there would still be security flaws. I think the saying about bugs goes something like "Any non-trivial program has at least one bug."
Only if you define "non-trivial" as "buggy".
If you're willing to discard such notions as the "inevitability" of bugs then you can find that bug-free programs aren't that hard.
ouch.
Don't you know you can go blind?!
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
I didn't read the FA, but I doubt it would answer this question. Perhaps someone in the know might be able to answer. Why is the data segment executable in the first place? Seems to me that this would help avoid most of the "buffer overrun allowing arbitrary code to execute" problems. Non executable data segment means that you can only read and write. If you try to break the boundary of the data segment in an attempt to cross into the code segment...well, you get a GPF.
hahahahahah!
-73, de n1ywb
www.n1ywb.com
That's why he posted anonymously. He knows if he puts himself out there with a statement like that, it will take some slashdotter about .002 minutes to find a *cough gaping security hole in his code and start fucking with him.
It's not a lie. It's the truth with lossy compression.
Really, do you know if the JPEG decompression code in your favorite app or desktop is bug free? It's not so easy to write exploit free code for something like this without paying conscious effort to it, which is very rare in my experience. Consider that you need to range check just about all values and be very careful to make sure that some simple math which affects a pointer value is never used raw. Adding all of this to a JPEG decoder makes the code bulkier and makes it slower, which is why you don't see a lot of open source people rushing to do this. In fact, how many people run test suites on their image format decoders to ensure that they aren't exploitable? And if they do run test suites, how many people are really sure of the results? It's easy enough to have pointer overruns in C that go undetected, but can change critical values that affect other parts of the code. Scary.
So, one day long ago, Knuth is teaching a CS class, and give an assignment. He provides a library the class can use for this coding assignment, but warned them (this is from memory so may not be verbatim, sorry): "By the way, be careful with this library. I have only proven it correct, not tested it."
What is the problem here?
:-)
i nuxholes_1.html
Lets face it, there will always be a flaw in software. There are even flaws in hardware. The first Pentiums even had flaws. The Windows OS is a HUGE system used in countless environments. You can't expect there to be no flaws, especially when the entire hacking world is trying to bring down or compromise the system.
Could it be Windows?
What people don't get is that Windows is an all-in-one system. You can't compare it to say, an IBM mainframe. These systems are designed mainly to do one or two jobs and are monitored by highly skilled system administrators who's job it is to protect these systems in the first place. In contrast, most Windows systems are administred by mom, dad and grandpa Felix.
Could it be DSL/Cable?
Broadband doesn't help any either. The amount of viruses produced and their intrusion success rate has increased since a lot of home computers are always connected to the outside world. Back in '82 viruses existed, but I never remember having to install virus software for my Apple IIe. Has the world changed?
Could it be Linux?
Then there is Linux. Linux is a great system, but again it is a MUCH simpler system compared to current Windows, has a much smaller install base and is obviously MUCH less hacked than Windows. Eventually, as this platform becomes more and more popular, you will begin to see more viruses written for it. I guarantee it.
No, the real problem here is UCC (Uneducated Consumer Computing). Dell, Gateway, Compaq, IBM. They all make it look so easy and pain free to own a computer. Most people I meet on service calls, don't even know what a virus is or even what spyware is, or that they can download free patches and programs like Spybot or Ad-Aware. Let me tell you, I've made more money installing and running Ad-Aware than anything else!! I'm sure you have too. Don't lie now!
And this trend won't go away either, regardless of OS or hardware. So get used to it. As long as UCC remains, we're all in for an earful of over zealous virus reporting by our wonderful, informative and helpful friends in the media. Besides $60 for an installation of Ad-Aware doesn't hurt the wallet either, especially in this IT economy!
Oh and by the way, for all you non-believers...
http://www.infoworld.com/article/04/09/09/HNmorel
Note also that if you are running IE6 SP1 on *any* OS, you are vulnerable according to the bulletin.
I came to this conclusion eventually despite the fact that Windows 98, Me etc. are listed in as 'Non affected software'. I initially read this as meaning that whatever version of IE you had, you were *not* affected if you were on Win98 etc.
The bulletin should make this a lot clearer.
For people who only know MS products, using computers has become synonym to getting digital virii/worms.
As a result, MS users have learned to live with security problems and virii/worms infections. I know some people who disable their firewall and AV software, so they can speed up their MS chat software (their 128 MB PC has become real slow after they installed XP Pro, but they blame the firewall I installed). :( .
They consider the then inevitable virii/worms infections as a part of live, and after all, it's somebody else who has to do the necessary reinstall of Windblows and apps
I think it is best pronounced pohned, exspecially after killing someone in SSBM (Super Smash Bro's Melee)
Snowden and Manning are heroes.
Just got this in my email:
:
-- cut here --
Date: Wed, 15 Sep 2004 12:28:53 -0400
From: Matthias Clasen
Reply-To: fedora-list@redhat.com
To: fedora-announce-list@redhat.com
Subject: [SECURITY] Fedora Core 2 Update: gtk2-2.4.7-2.4
Fedora Update Notification
FEDORA-2004-289
2004-09-15
Product : Fedora Core 2
Name : gtk2
Version : 2.4.7
Release : 2.4
Summary : The GIMP ToolKit (GTK+), a library for creating GUIs for X.
Description
GTK+ is a multi-platform toolkit for creating graphical user interfaces. Offering a complete set of widgets, GTK+ is suitable for projects ranging from small one-off tools to complete application suites.
Update Information:
During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gtk2. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue.
During a security audit Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783)
Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file was opened by a victim. (CAN-2004-0788)
-- cut here --
So.. Blaming MS for writing insecure image decoders is a bit hypocritical, don't you think?
Follow your Euro bills at EBT
I've had that horrible image seered into my brain before.
... odd.
What I didn't realize was that wiki (and possibly others) have actually started documenting it and listing who they think it might be.
I find that rather
Lost at C:>. Found at C.
something is missing! where is the link to the microsoft's update page in the story paragraph?
/. believe in windows users at all?
Does
I urge you to put in the effort, and make the distinction between site-wide bias, and the bias of particular individuals. Yes, Slashdot as a whole is very biased against Microsoft. But individual Slashdotters must be judged on a case-by-case basis.
It's pointless to whine about the bias. It's like standing on a Florida beachfront screaming at the hurricane to "Turn back!"
I've finally learned that I have to use the "keep setup files" option and keep that huge pile of Office Setup Files around. Disk Clean-up always tries to get rid of them for me but have to keep them. I have the Office disks, but I keep everything packed away and it's a pain to dig them out. The reason they are needed, usually, is because of certain files that aren't needed any other time than during setup. Keeping the setup files on my PC keeps me from digging out the CDs for every service pack.
It's taken me how many years to figure this out? I wish someone would have explained this to me earlier.
The truth doesn't care what I think.
So, if even 'pwned' is insufficient to describe the level of ownership (e.g. in the year 2042, hacking their heads-up display contact lenses so an un-turn-off-able Goatse is tattooed across their eyeballs), would they then be considered qwned?
Caveat Emptor is not a business model.
OK first of all: I'm not a lawyer, but...
If you ride a bike on a highly transited street, you obviously expose yourself to some risks. So it's not the bike maker's fault.
*HOWEVER*, if it's a FACT that when you ride the bike you'll _ALWAYS_ end up going to that dangerous street, _AND_ the bike maker doesn't offer you either alternative bikes or roads, then you can be SURE that it's the bike maker's fault. Either by action or by negligence.
When companies signed a contract with Microsoft and bought their products and FORCE YOU to use Microsoft products (they signed the contract, not you), then you could sue either the company, or Microsoft. And when the WHOLE BUSINESS MODEL forces you to use Microsoft Products (i.e. Word),
_AND_ by using the software you expose yourself to loss of data, or money (like working at home for something job-related), then the risk is INEVITABLE.
The key here, is that Microsoft doesn't give you A CHOICE. So in practical terms, you are FORCED (read: coerced) to use their products. Isn't coercion something that can invalidate a contract (it can invalidate marriages for what I know)?
When you take a risk because you had no choice, you are indeed affected by the person who forced you to take that risk. I think bosses have already been sued because their employees were taking UNNECESSARY RISKS.
So, I think there IS a possibility to sue Microsoft. For property damage, of course.
Isn't this a perfect program written by a perfect programmer?
C:\>debug
-a 100
134C:0100 int 20
134C:0102
-nbak2dos.com
-rcx
CX 0000
-w
Writing 00002 bytes
-q
C:\>bak2dos
C:\>
Of course, this kind of perfection depends on Intel and Microsoft. It appears my 'do nothing' program does just that. If it doesn't, blame it on Intel and Microsoft.
Of course, according to Murphy's Law, anything that can go wrong will go wrong either by accident, design, or (malicious) intent. Because of this, programmers (like me) should both code programs simply AND put themselves in the user's/badguy's shoes and try to anticipate potential problems and add sufficent code to deal with them beforehand.
As a result of this approach to programming, I had to make 2 quick updates to my software some time ago to solve two problems rather than 'lots and lots' of updates--why force the users to be beta testers when you don't have to?
FACT: It is NOT easy to write worthwhile, non-trivial software....