Slashdot Mirror
Flaw in Microsoft JPEG Parsing
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
...you obviously never saw goatse...
Give me a job. Please?
If a small company releases a product and people get harmed the lawyers decend like a pack of wolves to sue them.
Why doesn't someone sue Microsoft? After all people sue companies all the time even if the product in question has warning labels.
(Glad I stuck with IE 5.01 sp3 on NT)
Man...talk about attack vectors. This would make a killer (as in bad) worm.
IM
Email
Browsers (probably several)
Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.
As usual, the writers of the "mitigating factors" section don't seem to have much imagination.
Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.
Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?
The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.
and i was always telling everyone from the start, download your porn in png format.
Marge, get me your address book, 4 beers, and my conversation hat.
...Everyone else uses libJPEG.
Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
I've been telling people for years "no, you can't get a virus from things like a JPEG picture. You're fine."
Now this. Considering how many bugs are reported in all version of MS software, it is entirely possible that there are PERSONAL bugs. "This one is for Charles. Let's fuck with him."
Sigh...
-Charles
Learning HOW to think is more important than learning WHAT to think.
The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector". Sanction: exile from use of any computer, writing utensil or paint brush for 10 years.
Call me old school, but remember back in the day when opening e-mail was ok, and that executable attachments were what we watched out for? Images were ok, MIDI files were ok, and a bit later, even MP3 files were ok.
Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.
Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
there have been lots of image exploits put out there.
if memory serves there was even a png patch for linux this past summer.
gif exploits have been around for a while too.
the real worry here, as with most M$ security releases is how long they knew about it, and whether they waited until SP2 was released so they could say that their new software didn't have that vulnerability.
microsoft security department, we take orders from marketing!
---------
WAP software
They should forget about Internet Explorer and try thier hand on a different line of sofware...
The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
Don't worry folks you can still get your pr0n with out getting a social dease...
www.asciipr0n.com
Who said looking at Pr0n was safe?
I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector".
You're right, I should have said "Airpwn could leverage the synergies of this vulnerability and streamline the deployment...with or without interactive buy-in by stakeholders"
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
While normally I shrug off most Slashdot anti-MS FUD, I've got to admit, this one's going to be a huge pain in the ass to rollout.
Normally, I just read the whitepapers, run a test on a workstation then rollout a Windows update using the free SUS server. This one, I'm going to have to rollout the update (just for XP SP1 users), figure out an update plan for Office, figure out who actually uses those image programs, etc.
And here's a question: SP2 isn't affected. Why didn't they rollout this fix in SP1 *before* rolling out SP2, if they clearly knew it needed fixing. Most companies I know (mine included) are in the middle of testing SP2 migration plans. This adds another wrinkle to the whole process.
You don't allocate a buffer of fixed length unless you're lazy. You find out how long the input is, allocate a buffer big enough to fit then move the input to the buffer. When you're done you deallocate the buffer. Simple, safe and easy. I guess Micro$oft coders never learned how to practice safe hex.
Good, inexpensive web hosting
Microsoft made it possible.
When you assumed you couldn't get attacked by loading a web page?
Microsoft made it possible, too.
When you sweared you couldn't get infected just by receiving e-mail?
Microsoft made it possible, again.
And now, by the very same people who gave you all that...
The JPEG parser vulnerability!!!
God, this company has really brought innovation to the industry!
... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.
From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...
(That last comment is not meant to be taken too seriously)
I Told You So.
BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.
Ohh man I hope the first virus/worm/trojan based on this has is named after an STD.
I was surfing porn and got herpies.
That would be soooo funny.
Paying taxes to buy civilization is like paying a hooker to buy love.
A buffer overflow can be used to execute arbitrary code
This sig no verb.
Is there anykind of a browser plug-in I could use to deciper steganographically enhanced JPEG images that might just come over plain old unsuspicious unencrypted http?
GIFs were evil, PNG support lacked transparency, now JPEGs can cause buffer overflows - I'd say that IE has an image problem... Excuse me while I just run away now.
"Provided by the management for your protection."
And that's just what happened. .NET Framework is heavily dependent on GDI+. Now you can use a managed software to hack the system.
If Yoda so strong in Force is, why words in right order he cannot put?
"There is no way for an attacker to force a user to open a malicious file."
This has got to be one of the stupidest things MS has ever said.
It's called spam!!!
99.999% of email programs and browsers automatically "open" images for viewing
We all get spam
the image can be a logo or something nonsuspicious
embedded in the email
So you only have to read the email
to get infected
So the next Anna Kournikova virus will actually be a picture of Anna Kournikova
On Microsoft products, porn screws YOU!
I hope now that png, mp3, and jpg decoders have had vulnerabilities people will be a little more careful in the future.
It isn't necessarily about being careful. If people were that careful about writing all their software, software would take ages to finish writing.
And even then there would still be security flaws. I think the saying about bugs goes something like "Any non-trivial program has at least one bug." I think the same could probably be said for security vulnerabilities.
Sure, we probably shouldn't be seeing buffer overflow exploits anymore considering the amount of attention they have gotten, but it isn't necessarily worth it to go back and review all your code just to find one type of vulnerability when others will be found eventually anyway.
GMail invites for completed freeipods.com of
Microsoft rates the flaw "important" for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.
Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.
It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?
Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.
Ruby on Rails Screencast
Sp2 is not affected. It smells like the new compiler switch avoided the flaw. One more reason to install SP2 to your friends & parents...
Nothing has changed in the way applications are programmed that now allows this to happen. What has happened is that people have just become more skilled in manupulating such situations. The possibilities were always there, it's just been more recent that people have been able to take advantage of them - and made such errors more visible.
"You know your god is man-made when he hates all the same people you do."
He doesn't want to know. He's looking for a Todd Walters.
:-)
Nice try for a troll, but you might want to spell your own name correctly next time....
first of all that article talks about a specific implementation of LHA (LHA is an old compression alg that i don't think anyone uses anymore), and imlib and as the article says its ALREADY FIXED, just upgrade imlib and unlha
and neither of these are linux, linux is the kernel.
So you really think it's that simple ?
Your code is probably full of security holes, just like everybody's, and the fact that you think it's so simple is a clear evidence...
Look, even Knuth was so certain that his code could not possibly be bugged that he promised a prize for the persons who would find bugs. And still, some were found. And we are talking about a program that was mathematically provable, and made by the living god of computer science, damnit !
And you think that your code, which is sitting on dozens of layers speaking to each others in your back, and made with a high level language, cannot possibly have an unknow bug which could cause a security hole ?
If so, then you're a security hole yourself.
Ford, Bank of America, Kodak, Eastman Chemical, DuPont, GE, and other fortune 500 companies are not small and they get sued all the time for minor matters like this. But Microsoft doesn't.
It's just something to think about. (Like the settle out of court and no one knows about the settlements.)
Lets face it ... If the open source community cannot even parse simple PNGS without leaving a security hole why the hell do they claim to be better than Microsoft ?
If you actually knew what you're talking about, you'd know that the JPEG format is definitely not the easiest file format to support, and you'd also know that coding mistakes can happen everywhere, as witnessed daily in the open source community.
So instead of going on an unjustified rant against MS because of something that happen daily everywhere, just chill out.
This is real nasty. It looks like most versions of office as well as MS Works since 2000 are affected. See the Security Bulletin Any random word document with an infected embeded jpg is a transfer vector.
Watch out for next week's critical flaw in MS Hello World.
On a completely and totally unrelated topic, does anybody know where I can buy lots of banner ad space in bulk?