Slashdot Mirror
Flaw in Microsoft JPEG Parsing
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
...you obviously never saw goatse...
Give me a job. Please?
If a small company releases a product and people get harmed the lawyers decend like a pack of wolves to sue them.
Why doesn't someone sue Microsoft? After all people sue companies all the time even if the product in question has warning labels.
(Glad I stuck with IE 5.01 sp3 on NT)
Man...talk about attack vectors. This would make a killer (as in bad) worm.
IM
Email
Browsers (probably several)
Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.
As usual, the writers of the "mitigating factors" section don't seem to have much imagination.
Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.
Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?
The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.
Are not affected, unless they have Office installed.
and i was always telling everyone from the start, download your porn in png format.
Marge, get me your address book, 4 beers, and my conversation hat.
...Everyone else uses libJPEG.
Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I've been telling people for years "no, you can't get a virus from things like a JPEG picture. You're fine."
Now this. Considering how many bugs are reported in all version of MS software, it is entirely possible that there are PERSONAL bugs. "This one is for Charles. Let's fuck with him."
Sigh...
-Charles
Learning HOW to think is more important than learning WHAT to think.
The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector". Sanction: exile from use of any computer, writing utensil or paint brush for 10 years.
Call me old school, but remember back in the day when opening e-mail was ok, and that executable attachments were what we watched out for? Images were ok, MIDI files were ok, and a bit later, even MP3 files were ok.
Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.
Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
there have been lots of image exploits put out there.
if memory serves there was even a png patch for linux this past summer.
gif exploits have been around for a while too.
the real worry here, as with most M$ security releases is how long they knew about it, and whether they waited until SP2 was released so they could say that their new software didn't have that vulnerability.
microsoft security department, we take orders from marketing!
---------
WAP software
They should forget about Internet Explorer and try thier hand on a different line of sofware...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Don't worry folks you can still get your pr0n with out getting a social dease...
www.asciipr0n.com
Who said looking at Pr0n was safe?
I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
pfft...maybe now they'll fully support AOL's .art files. Serves them right.
*ducks*
If you think
The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector".
You're right, I should have said "Airpwn could leverage the synergies of this vulnerability and streamline the deployment...with or without interactive buy-in by stakeholders"
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
While normally I shrug off most Slashdot anti-MS FUD, I've got to admit, this one's going to be a huge pain in the ass to rollout.
Normally, I just read the whitepapers, run a test on a workstation then rollout a Windows update using the free SUS server. This one, I'm going to have to rollout the update (just for XP SP1 users), figure out an update plan for Office, figure out who actually uses those image programs, etc.
And here's a question: SP2 isn't affected. Why didn't they rollout this fix in SP1 *before* rolling out SP2, if they clearly knew it needed fixing. Most companies I know (mine included) are in the middle of testing SP2 migration plans. This adds another wrinkle to the whole process.
sounds like you've got ad-ware.. is this on IE? if so then nothings off-limits, if not IE then thats just weird..
This comment does not represent the views or opinions of the user.
You don't allocate a buffer of fixed length unless you're lazy. You find out how long the input is, allocate a buffer big enough to fit then move the input to the buffer. When you're done you deallocate the buffer. Simple, safe and easy. I guess Micro$oft coders never learned how to practice safe hex.
Good, inexpensive web hosting
Microsoft made it possible.
When you assumed you couldn't get attacked by loading a web page?
Microsoft made it possible, too.
When you sweared you couldn't get infected just by receiving e-mail?
Microsoft made it possible, again.
And now, by the very same people who gave you all that...
The JPEG parser vulnerability!!!
God, this company has really brought innovation to the industry!
Before you get too high and mighty, check this article from just 4 days ago.
... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.
From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...
(That last comment is not meant to be taken too seriously)
I Told You So.
BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.
Ohh man I hope the first virus/worm/trojan based on this has is named after an STD.
I was surfing porn and got herpies.
That would be soooo funny.
Paying taxes to buy civilization is like paying a hooker to buy love.
A buffer overflow can be used to execute arbitrary code
This sig no verb.
Is there anykind of a browser plug-in I could use to deciper steganographically enhanced JPEG images that might just come over plain old unsuspicious unencrypted http?
GIFs were evil, PNG support lacked transparency, now JPEGs can cause buffer overflows - I'd say that IE has an image problem... Excuse me while I just run away now.
"Provided by the management for your protection."
And that's just what happened. .NET Framework is heavily dependent on GDI+. Now you can use a managed software to hack the system.
If Yoda so strong in Force is, why words in right order he cannot put?
"There is no way for an attacker to force a user to open a malicious file."
This has got to be one of the stupidest things MS has ever said.
It's called spam!!!
99.999% of email programs and browsers automatically "open" images for viewing
We all get spam
the image can be a logo or something nonsuspicious
embedded in the email
So you only have to read the email
to get infected
So the next Anna Kournikova virus will actually be a picture of Anna Kournikova
On Microsoft products, porn screws YOU!
I hope now that png, mp3, and jpg decoders have had vulnerabilities people will be a little more careful in the future.
It isn't necessarily about being careful. If people were that careful about writing all their software, software would take ages to finish writing.
And even then there would still be security flaws. I think the saying about bugs goes something like "Any non-trivial program has at least one bug." I think the same could probably be said for security vulnerabilities.
Sure, we probably shouldn't be seeing buffer overflow exploits anymore considering the amount of attention they have gotten, but it isn't necessarily worth it to go back and review all your code just to find one type of vulnerability when others will be found eventually anyway.
GMail invites for completed freeipods.com of
A while ago, there was a source leak and someone found a vulnerability in the BMP shell. Is this related to the same thing?
A NYC lawyer blogs. http://www.chuangblog.com/
If you've got SP2 and an AMD64 chip, this is one great reason to use the no execute bit. I'll assume GDI+ won't mark picture data as executable.
Microsoft rates the flaw "important" for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.
Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.
It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?
Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.
Ruby on Rails Screencast
Sp2 is not affected. It smells like the new compiler switch avoided the flaw. One more reason to install SP2 to your friends & parents...
"No program is perfect,"
They said with a shrug.
"The client is happy!
What's one little bug?"
But he was determined.
The others went home.
He dug out the flowchart,
Deserted, alone.
Night passed into morning.
The room was cluttered
With memory dumps, microfiche...
"I'm close!" he muttered.
Chain smoking, cold coffee,
Logic, deduction...
"I've got it!" he cried.
"Just change one instruction!"
Then change two. Then three.
As year followed year,
Strangers would comment,
"Is that guy still here?"
He died at the console
Of hunger and thirst.
Next day he was buried
Face down, nine edge first.
His wife, through her tears,
Accepted his fate,
Saying, "He's not really gone -
He's just working late."
Nothing has changed in the way applications are programmed that now allows this to happen. What has happened is that people have just become more skilled in manupulating such situations. The possibilities were always there, it's just been more recent that people have been able to take advantage of them - and made such errors more visible.
"You know your god is man-made when he hates all the same people you do."
He doesn't want to know. He's looking for a Todd Walters.
:-)
Nice try for a troll, but you might want to spell your own name correctly next time....
I haven't run windows at home for 2 years, but I still have to talk to my mom, and her neighbors 1000 miles away cause they have Dell's with XP! regardless of what I've done from here their machines just get overrun with viruses or trojans. I've installed spybot, they have Mccafee running (supposedly) and now this.
I really wish my mom would get broadband so I could install/admin linux from here.
BC
free ipod and free gmail!
Microsoft Security Bulletins RSS feed, to receive notifications of new patches ASAP
MBSA and HFNetChk, automated tools to check if your system is up to date (see also the qfecheck command to check the status of installed patches)
Windows Update: analyze and update your system from a web page
Microsoft Systems Management Server (prices and licensing), a solution for the management of Windows networks. Comes with support for automated deploying of patches
Make a difference - use Windows! (open source clone of Windows NT)
http://www.microsoft.com/security/bulletins/200409 _jpeg_tool.mspx
first of all that article talks about a specific implementation of LHA (LHA is an old compression alg that i don't think anyone uses anymore), and imlib and as the article says its ALREADY FIXED, just upgrade imlib and unlha
and neither of these are linux, linux is the kernel.
So you really think it's that simple ?
Your code is probably full of security holes, just like everybody's, and the fact that you think it's so simple is a clear evidence...
Look, even Knuth was so certain that his code could not possibly be bugged that he promised a prize for the persons who would find bugs. And still, some were found. And we are talking about a program that was mathematically provable, and made by the living god of computer science, damnit !
And you think that your code, which is sitting on dozens of layers speaking to each others in your back, and made with a high level language, cannot possibly have an unknow bug which could cause a security hole ?
If so, then you're a security hole yourself.
"nine edge" is the bottom of an IBM punchcard. had to load them "face down nine edge" first into the reader...
Well, I disagree somewhat. There are things that have changed in the way applications are developed today vs. the way they were developed prior to the advent of sophisticated GUI-based operating systems. We depend on ever more complicated development tools over which we have less and less control. No matter how carefully we craft own own code, it doesn't make any difference in the end: we're totally dependent upon the work of thousands of other programmers, any one of whom may have left a hole.
Ultimately, I think it's really a result of extreme code bloat resulting from a market-driven approach to software development. When you get right down to it, from a productivity standpoint (and I don't mean watching videos and playing games) people do pretty much the same things with their computers today as they did a decade or more ago. But given the heavy emphasis by Microsoft (and others) on adding features to make each software generation more "advanced" and hence more marketable, operating system and application complexity is now orders of magnitude more complicated that it was just a few short years ago. This just provides room for a. more mistakes to be made and b. more opportunities to exploit said mistakes.
There have always been people willing and able to turn vulnerabilities into exploits, but prior to the opening of the Internet it was difficult to deliver an exploit to a target. Yes, people did propagate virii via floppy disks and shareware, but it was a painfully inefficient process. Nowadays, the Internet connects every one of those bastards to every one of us.
The higher the technology, the sharper that two-edged sword.
Avoid messy Windows and Office Updates and get what you need directly...
n /MS04-028.mspx
.NET framework are vulnerable too. Talk about multiple attack vectors!
http://www.microsoft.com/technet/security/bulleti
Note that you may have to patch SEVERAL microsoft products. (E.g., you need separate updates for IE6 SP1, VS.NET 2003, Office 2003...)
Note also that if you are running IE6 SP1 on *any* OS, you are vulnerable according to the bulletin.
Some versions of the
...knowing that my mail client doesn't even load images -- it just strips down all that HTML mess to plaintext. I never trusted pretty emails.
Honestly, looking at something like emails -- what does all this "meta deta" add that isn't available from plain text information content? Want a hyperlink, spell out its URL. Want some lines? Play around with hyphens. It's really not so bad, and so so much less dangerous.
(See the link in the parent post.)
My first thought was that Time was exposing that Microsoft is behind/inside/running the US government.
Then I read the captions, and it's just something about how our borders are still open. Yeah, we're still the free country. No, our fight against terrorism is losing. Yay, we still have rights. No, we want the government to take those rights away. Yay, bring us your poor and tired, or at least they will be once they start working our overtime crazy schedules. No, I am not reading Time magazine to discover how they slanted it; I'd rather read Slantdot.
But watch out! That image of the magazine cover is a JPEG. Time magazine could be taking over your computer. (Pretending that anybody reading Slashdot is still using MSInternetExplorer.)
I spend my life entertaining my brain.
Ford, Bank of America, Kodak, Eastman Chemical, DuPont, GE, and other fortune 500 companies are not small and they get sued all the time for minor matters like this. But Microsoft doesn't.
It's just something to think about. (Like the settle out of court and no one knows about the settlements.)
This happens to you when you don't pay the appropriate licensing fees!
Real Programmers do make mistakes. However, they don't ship code with great big galloping bugs that a quick code review or many many code analysis tools could have found.
In Knuth's case, he didn't say "I bet $100,000,000,000 that nobody can find a bug!". He created an incentive for people to review his code for bugs. There's a big difference.
LRC, the best-read libertarian site on the web
Lets face it ... If the open source community cannot even parse simple PNGS without leaving a security hole why the hell do they claim to be better than Microsoft ?
If you actually knew what you're talking about, you'd know that the JPEG format is definitely not the easiest file format to support, and you'd also know that coding mistakes can happen everywhere, as witnessed daily in the open source community.
So instead of going on an unjustified rant against MS because of something that happen daily everywhere, just chill out.
This is real nasty. It looks like most versions of office as well as MS Works since 2000 are affected. See the Security Bulletin Any random word document with an infected embeded jpg is a transfer vector.
Performance rating - ms windows Listen to music insecure + Look at pictures insecure + Read a document insecure = Keep windows on insecure If there is no use of windows anymore then, Remedy is: No windows - only doors and walls please. Close windows.
Watch out for next week's critical flaw in MS Hello World.
Next vulnerable file format is ASCII text file
...small claims court? Cost you maybe 25 clams or something filing fee, and no one can have a lawyer in court. Challenge the dang EULA if you want. I think one way a challenge could come from is you can't sign a contract that gives up any of your rights,so the contract becomes null. Challenge even if you are just renting the software to use it, it says on the box "operating system", contains a browser and an internet/network connection as part to it. Do these things qualify as suitable for a purpose? In the EULA they claim they aren't, but on the box they sure say they are, else they wouldn't be called that. which is it then, which is the one the customer really sees, what do they advertise oin the box?
Do these products function? At best only intermittently. Is it suitable to use on the internet? Absolutely not, not as shipped they don't.
I honestly don't know if anyone has ever done it, who knows, maybe it would work. Do you have documentation for lost time, lost business, additional cost and expenses, etc? You'll need that paperwork as well.
Imagine a few hundred thousand small claims cases were microsoft (someone to be determined obviously) had to show up and defend themselves, and without a lawyer with them. Would be a hoot!
Anyway, I think it's time, if software can be profitted from,if software can be granted a patent as a product, it should be treated like any other product, it needs warranties like any other product has. Less releases, sure, probably happen. Better quality, most assuredly. I fail to see the problem in that. It would force PHB and marketing weasels into doing what I see developers claim they want all the time anyway, not ship something until it's done.
Are any other meat space products "perfect"? Nope. But good enough that every other business seems to be able to deal with it. It's time the software "industry" got forced into legally growing up, IMO.
No - to goatse.cx!
.
/plp56/ - Another interview, this one with a French man who some have claimed to be the Goatse Man. WARNING! This page contains pornographic material similar to that at Goatse.cx. /index .htm - Photographs of a man named Kirk Johnson, who some claim to be the Goatse man. WARNING! This page contains pornographic material similar to that at Goatse.cx. .jpg - Kirk Johnson's "Lensman" photograph. The image is also on the detroithardcore.com main page.
Here you go!
From Wikipedia:
WARNING! All of these addresses lead directly to the pornographic image described above.
The website is available from at least six other locations, all of which are still up:
http://hick.org/goat/ also http://198.247.175.96/goat/
http://retropay.com/g oatse/goatse.cx/
http://web.archive.org/web/20030 623201150/http://g oatse.cx/
http://synflood.at/mirrors/goatse.cx/
http://www.goatse.org/mirror/
These sites have the same contents as Goatse.cx before it went down.
Another mirror, apparently from an older version of the site, is available at http://goat.cx/ The GNAA states that it operates that site [1]
http://goatse.cc/ and http://notyet.goatse.cc are the same except for the two links in the "Receiver" section. (Johnnyversace.com)http://johnnyversace.com) and Boards.ie are linked to instead of Urinal Poop and Dolphin Sex.)
http://www.rokbom.com, which is a "front page" for a personal website (http://rokbom.com/index.php, linked by an additional "Rokbom" link). The receiver page lacks the "merchandise" string that the current version has, suggesting that the front is a mirror of an older version of goatse. The modified contrib section has the text "A small request: SUP XXX JASON IS THE RECEIVER" in addition to other content, and the text "Our first Christmas present: A collage from the people at holyzoo.com! Thank you!" is present, unlike in the current version of Goatse; the image is on both sites, however.
http://www.goatse.ca, which only has the "Receiver" section. Instead of Dolphinsex and Urinal Poop, the text "Fight Censorship!" is below hello.jpg.
http://www.lagnet.co.za, which only has hello.jpg and the text "I SUBSCRIBED TO TELKOM'S ADSL AND LOOK WHAT HAPPENED TO ME!!!"
External links
http://goatse.cx/ - Leads to the notice of the domain suspension.
http://www.supa-gangstaz.tk - Redirect to goat.cx that also spawns numerous popups with hello.jpg.
http://hick.org/goat/index-orig.html - The Goatse page at a new location. WARNING - This leads to the picture described above.
http://www.hick.org/goat/mail.html - "Feedback" subsection with reader email selections. This page does not contain pornographic images.
http://www.hick.org/goat/contrib/gap.zip and http://www.exet.nu/html/bildarkiv/goatse.shtml - Links to gap.zip
http://www.hick.org/goat/loopback.jpg - The loopback.jpg picture. WARNING - This leads to pornographic material
http://www.hick.org/goat/contrib/hello.m pg - The hello.mpg movie. WARNING - This leads to pornographic material
http://www.roflmao.com/hatejob - A redirect to Goat.cx
http://www.stileproject.com/ - located the complete image set. WARNING! This site contains pornographic and potentially offensive materials.
http://www.fc-uk.org.uk/goatse/index.h tml - A satirical fictional interview with Bob Goatse.
http://www.bmezine.com/news/people/A20210
http://mjt.nysv.org/ - has a goatse tribute section.
http://sam.zoy.org/fun/goatse/ - has a comprehensive goatse tribute section with many well-known (and many lesser-known) photoshoppings of the images from the site
http://adult.pornparks.com/rosebutt/kirk/001
http://www.detroithardcore.com/lensman
See the official complaint (PDF) by an individual named Rhonda Clarke [2] , the official note (PDF) to the domain's registrant and the current state of the
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
On a completely and totally unrelated topic, does anybody know where I can buy lots of banner ad space in bulk?
Isn't it a reasonable assumption, that MSFT is using open source JPEG libraries just like anyone else? Shouldn't we audit libjpeg now, just to be sure?
cpghost at Cordula's Web.