Slashdot Mirror
Public Exploit For Windows JPEG Bug
Khoo writes "A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software. Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file." We mentioned this earlier.
I knew there was something wrong with Goatse when I saw it!
Now, to convince my company's managers to switch their userbase to Firefox, I just need it to support Sso (Single sign-on), please, tell us it's coming otherwise we'll keep using this tyrabrowsaurus...
Trolling using another account since 2005.
The patch for this one is already out. Furthermore, SP2 systems do not have this vulnerability unless Office is installed. SP2 by default has auto-updates enabled. And for Office to be exploited in a SP2 system, the user has to open the file manually.
Code is always buggy. Even Firefox had a JPEG vulnerability of its own. This is dumb ownership, if this bug becomes prevalent.
A NYC lawyer blogs. http://www.chuangblog.com/
What about the vuln. in the PNG libs? Any exploit in the wild?
cpghost at Cordula's Web.
The biggest problem here is when spammers use this in there opt out link. This would probably be much more effective than the scrollbar hack they are using now. It just has to render the damn page, and wham you're infected.
No. And neither should you.
... when reading stories like this on my desktop computers, one of which is a Linux, the other of which is a Mac OS X ...
... but I have a strong suspicion that, even if they had as wide a user base as Windows, they'd still be more secure. The level of polish and craftsmanship of open source software (recall OS X's open source roots) can never be duplicated by Microsoft's paranoid and closed-doors efforts.
Sure, they're not immune from security holes, exploits of various kinds, viruses and what-not
...because I have not seen this mentioned at all.
Is the JPEG rendering in Firefox running on Windows independent of any underlying MS library and is therefore not affected?
On November 5 1999 we had the "Burn all GIFs" day because of patent issues. Shall we announce a "Burn all JPEGs" day because of Microsoft security issues now and switch all to PNG?
Damn. Now in addition to worring about going blind I also have to worry about catching something.
What's all this stuff in the related links?
. Bug whitepapers
. Best deals: Bug
. More Bug stories
. Security whitepapers
. Best deals: Security
. More Security stories
. Windows whitepapers
. Best deals: Windows
. More Windows stories
. Microsoft whitepapers
. Best deals: Microsoft
When did that start happening?
Get your own free personal location tracker
Can you elaborate about the single sign-on function you want? I can image what single sign-on is in relation to a file server, but I'm not sure how a browser would use this.
These early POC exploits are covered in todays
:-/
ISC Diary. Note that now there is a script to generate images to add an Admin level user (username "X").
Not too long until we see a remote shell.
Some people are tlaking about seeing it used in an MSN Messenger worm.
The hard part about patching this one is that a lot of third party software may overwrite the Windows JPEG GDI library with its own older version
---- join dshield.org Distributed Intrusion Detec
So much noise about an ordinary Windows insecurity...
.NET core is the last Microsoft's chance to correct its public image as the 'most insecure software vendor'.
IMHO, Longhorn with
Another question: when will Longhorn be out before Duke Nukem Forever?
Does that mean when you watch porn on the Web it is not safe sex anymore? Damn it!!!
Well, no more JPEG porn for windows users. Good thing there's more than enough naughty movie stuff out there. But what if Windows Media Player has another security flaw? No more porn at all?
www.weberseite.at
..hooray! Another good reason to stay away from XP.
Pick your OS and download it here
:)
Also, if you have SP2 or uh, don't use MS software, you're fine
I'm a minister!
And it actually works fairly well. It scans for any program that reads these files and makes sure they don't have the bug in them. If it can't patch them, it bugs you about it so you can find a fix for the app. Only Microsoft apps of course, I don't think Adobe wants Microsoft pushing out software updates for them.
Most of the users I have to support aren't savvy enough to add a printer (omg, with active directory it's like 3 mouse clicks) or install software or apply updates (we use some banking software and it notifies you with a text box to click "OK" and then "File, Update" but I still get called on it every time). That's why at our offices we use Microsoft System Update Server (SUS). It lets us approve patches and then roll them out to all the clients in the domain automagically.
I shudder to think what would happen if I tried to roll out firefox or mozilla to everyone. I'd probably get calls that their "e" was missing and they couldn't connect to the internet. I swear, some people just shouldn't be on computers.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
Pick your OS and download it here!
Of course here, is this place --> here
I knew that preview button was good for something
I'm a minister!
...or else I can't enjoy downloaded ..khm.. educational .. clips at the workplace.
Yeah, free Ipod! He is innocent!
Have a look before it gets slashdotted: http://sylvana.net/test/AP4.jpg
maybe this'll finally b the 2x4 that gets the attention of all those microserfs;-)
about a year or so back there was a slashdot story about i think macafee researchers talking about viruses being transmitted over images. Everyone called it stupid market speak from a firm trying to sell more AV products by scaring people with somthing that is not possible. I think we all need to offer them an apology. I think this is a bizzare parallel to when people used to joke about email viruses way back in the min 90s. Kind of sad that it is real now. It will be even more so when images are used for exploits too. Though, i suspect those at most risk are those that go to websites looking for lots of images...
The war with islam is a war on the beast
The war on terror is a war for peace
This bug exists in most Microsoft Software. So for someone to patch they can't simply connect to Windows Update and consider themselves safe, they also have to patch Office, Visual Studio, some Microsoft Games, Server Software (misc, not covered by Update) and more.
So don't sit there on an SP2 system and consider yourself safe. There is more than likely a whole host of ActiveX controls just waiting to be called and exploited by this bug.
Also note that some applications written in Visual Basic can also be exploited.
Is there a tool to proccess jpg files searching for malicious content?
Just imagine all the malicious porn pictures that will be circulating the internet forever. Upside is that there is more free porn ;)
... where we all download IEradicator or the appropriate litepc for our OS, and simultaneously eradicate the trash from out computers.
(www.litepc.com)
You can make a big fucking quilt with all those patches they keep giving out!
I can't use SP2. It does really bad things to my 2 XP boxes. ...which both have Office installed.
Until now, I've always conscientiously applied patches and safe practices to my Windows boxes.
Now I'm between a rock and a hard place.
Really? It loads pages faster for me. Sure, the initial start up time is worse, but...
:P
Just because you took his comment out of context doesn't mean he's a troll.
Indeed.
Instead of a nice howto insert stuff into jpgs i got a lame news story.
Now, where is the stuff that matters?
Everyone knows that you can be infected having sexual intercourse, however, that you now can even be infected by just looking at porn is rather sad I have to say.
OK - I apologise for my comment..
I'd like our company to switch to Firefox as in my own, personal, valueless opinion and experience, I find it to be faster at rendering pages and less likely to crash than Internet Explorer. But this is purely my own opinion and experience, and results may vary. No animals were harmed in the making of this comment.
--- Band: Joey Ultra
M$ Release Sp2 for XP. People resist installing cause they hear it can screw things up etc so they delay installing. M$ announce a new flaw with sample code in the wild, show how every O/S they have (practically) is suseptable EXCEPT XpSp2. ...? Funny order of events no?
Visit London Scalextric Club
This is going to wreck havoc when it's combined with spam. People that haven't patched, I'm sure also will open all of their mail messages with images displayed automatically.
Everyone knew it was a backdoor.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Comment removed based on user account deletion
http://sylvana.net/test/AP4.jpg
will crash IE on an updated xp sp2 system.
Microsoft themselves have even aknowledged "that commercial quality can be achieved / exceeded by OSS projects." See Halloween I
JPG and other image file exploits the same and similar to this have been around for a long time. One easy way to hide a document or application was to send it like a jpg and then you could decode it if you were the correct party... otherwise it looked like a jpg and that's it.
||| I still can't believe Parkay's not butter.
You know, it might be worthwhile to write things like libjpeg in safe languages.
Ocaml is pretty fast, but I realize that not everyone wants the runtime. How about cyclone? It's an extended version of C that's backwards compatible with C, but can pick up unsafe errors at compile time -- sounds pretty much like what folks might want.
May we never see th
Comment removed based on user account deletion
I don't see a link to the sample exploit in the article...
well, here is one link.
.sig: No such file or directory
I am running xp sp2, i have installed every update for this bug that microsoft has put out , yet when I scan my pc the microsoft provided scanner tells me that I am still open to an attack. That is just one pc, imagine a corp with 1000s of computers. Bottom line is Microsoft has not provided an easy windows update way to patch this so most end users (read your mom, dad, grandparents) are not going to be patched and are going to get wtfpwnd by the first worm that exploits this.
How long before some bug starts rampaging the internet because of the vulnerability in windows?
Two weeks... less?
Batton down the hatches I'd say, it won't be long before this one gets nasty.
Still this may also be very good grounds for a class action against MS, as they are not honouring a users request NOT to use IE.
That anti-trust case will be raised by 2006 and resolved by 2014, by which time the successor to the successor to the successor of Longhorn will be released, with a few more dozen anti-trust issues and another slap on the wrist from the DoJ.
Kjella
Live today, because you never know what tomorrow brings
WindowsUpdate does install a "GDI+ Detection Tool", but I have run this tool on systems with unpatched Visual Studio, Outlook, and Office and it does not detect that the patches are missing. I looked at the strings in this tool, and it basically looks like it checks for MS Photo software.
Manually visiting "officeupdate.microsoft.com" and running those updates will probably cover the most common attack vectors (Outlook, Word), but how many people do this on a regular basis? My users are not admin-level (yet) so they can't use this update site.
Incidentally, every default configuration of IE/Word I have seen allows DOC files with jpegs to be opened in the browser window with no prompting. It will not be hard to get people to run the exploits, and there's plenty of ways for worms to automate themselves without users opening things.
I'm working on a script to detect and run the patches (there's about 17 of them for this bug) but it's going to be a while because of the pre-reqs for many of the patches, and the very specific revisions that must match the patch. "If Visio 2002 is installed, detect which Visio SP level is running. If it's SP0 or SP1, run Visio SP2, then reboot, and run GDI patch"...
Sorry if I'm spreading panic, but this bug sucks.
The parent post is not a troll. It is asking when Firefox will support the single logon system for signing in, as currently supported via IE.
If we want to get a lot of offices to transition to FF, this may be very important, and i believe the FF designers ARE working on it, if not already finished it.
I am certainly keen on finding out more about this, and whoever marked the parent as troll will cause this thread to dissapear.
Have a nice day!
Haven't they discovered the advantages of shared objects and dynamic linking yet? On my box I have literally hundreds of programs which were vulnerable to PNG exploits. All I did was write "apt-get upgrade" and forget about it to have them all patched at once after downloading a single 100kB package. When a similar vulnerability is found in Microsoft code everyone screams bloody murded, CNET writes about it, Slashdot writes about it, there is film at eleven and worms start to wreak havoc for years because, as you said, it is "hard to patch." But no, it is Linux that is somehow "not ready for the desktop."
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
You remember when she told you that looking at `those' pictures was bad...
_O_
.|< The named which can be named is not the true named
either they haven't learned how to write secure code, or they are doing it on purpose?
...
is it just me or does it look like it's only that "Not That Frelling Stuff" file system? and just the stuff since 2002? hmmmm
only for diablo and doom se/2/final and at most only 98. nope, won't be doing doom3, either, darn it
Something like junkbuster, but it scans the headers of jpeg/png/etc. files to verify that they aren't corrupted. This would automatically protect IE, Outlook, etc. as long as net access was all via proxy and not direct connect. This would buy time to update everything.
if the exploit code is out, and the shitware hackers can get a hold of it, how come the antivirus people can't do the same thing. study the code, then come with definitions that will prevent a disaster to some extent. the problem with the av people is that if the exploit is never used then it would have been a waste of their time. well shit is like paying for insurance.
You need people like me so you can point your fuckin fingers and say, "That's the bad guy." So what that make you? Good?
but it was too late, she'd already been wormed.
_O_
.|< The named which can be named is not the true named
Don't forget, Firefox leads to fewer security holes, fewer adware and fewer viruses. No reason to change that I can think of.
There are two types of people in the world: Those who crave closure
In order for a bug to be fixed, it has to exist in the first place. So you're admitting that OpenBSD had a flaw caused by Microsoft JPEG libraries? :)
Isn't there a team at Microsoft who says, "What parts of Outlook do we still have that automatically launch other things? Maybe we should go look at the source code for those and see if there are unchecked buffers?"
Writting a proxy server that validates or blocks all JPG images going through it, is probably possible. Such a proxy can also process PNG, BMP and other vulnerable formats.This proxy could be run either at
the user level (personal protection) or at the ISP level.
Time to start a new open source project !
This isn't java, this isn't ActiveX. This isn't obscure or anything. This is a common deal. Its one of the most fundamental things about web-browsing besides the text! The pictures. So now the pictures can bite just as hard (if not harder) than java or ActiveX things. Microsoft should be ashamed of themselves. Letting this kind of bug slip past them. I bet there's a buffer overflow or critical exploit in Notepad or Minesweeper that would compromise networks and serve the hacker free pizza if you looked at 'infected' text.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
Everyone seems to be expected infected pr0n or e-mail... it's so much simpler than that it's been scring me since this exploit was announced. I'd say about 2/3rds of the corporate computers in this country are still vulnerable, and enough of them visit MSN or CNN.com on a regular basis for a simple banner ad to give someone a REALLY nice assortment of zombie PCs.
Pavlov's Dog ate the bell, and now he's barking at Schroedinger's cat all the time... -Me
So glad I did not update my other machine, which I use only for games.
I guess I'm safe then, or are there other security updates that I should do ?
well, prepare your mailboxes for increased amounts "free p0rn site!!! come and see!!!", "see $your_fav_celebrity_name naked!!!" and etc. spam :-)
Comment removed based on user account deletion
There used to be an excellent page documenting every known flaw in IE, along with its severity and whether it had been fixed. Most informative were details on an (unfixed) problem with IE's handling of SSL authentication dating back to THE YEAR 2000. Unfortunatly the site authors removed it after MS announced their Trusted Computing initiative, in the intrest of giving MS a break.
:(
Hah! Exploit after exploit continue to be revealed. Are they even bothering to fix the recent drag-and-drop exploit, 'cos my fully patched XP machine at home is still vulnerable.
I post to ask if any one knows of a similar site that is still updated; I have googled and came across http://continue.to/trie, but the layout isn't great and basically I want the old site back.
I better make sure to convert all of my porn to
... are the books by Microsoft Press.
I appreciate your thoughtfulness, and your assistance.
Have a good, exploit-free day, sir.
Sure, this is really bad, but how can someone take control of your machine using this 'sploit?
WWJD? JWRTFA!
As well as W2K machines.
--
What would Bill Clinton do?
Set that as the home page for a co-worker you hate. This should be fun, but its gonna take me a while to change everyone's home page.
--
What would Bill Clinton do?
Comment removed based on user account deletion
What I'm interested in is the security holes in FS/OSS -- software that I use. If people here are supposed to be so pro-FS/OSS, they should be posting things that help FS/OSS -- not proprietary software. Hint: constructive criticism helps the criticized, and does not harm them.
social sciences can never use experience to verify their statemen
You just need to use a Trojan.
The article says that the exploit allows you to run a named process on the machine. The article does NOT say the exploit allows the writer to run arbitrary code on the machine.
Sure, this is really bad, but how can someone take control of your machine using this 'sploit?
The process could then be instructed to download hostile code off of a remote host.
I think I might have it, and I think slashdot might be comprimised! I saw the story on the front page, clicked the link to read more, and all of a suddent Slashdot had this really crappy color scheme.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
Well, that porn .asf file can be set to automatically open a web page from Media Player which contains a JPEG that takes over your machine...
.gif .bmp .tiff and .xcf.gz into .jpeg
Then, the JPEG watch porn for you, and can do everything it like, such as eliminating its competitor by converting all
-- Hasbullah bin Pit (sebol)
...is that you often need the install media to do any updates. What * the * hell? You might have had your machine setup by a central IT lab and they have the CD image install to work from. Even if the source is provided over the network is a non-savy user going to understand where to find it? I give it a 50/50 shot.
So thanks again to Microsoft they make critical functions a pain in the ass to execute which often means it does not get run at all.
ActiveX I can see, but java applets by default run in a sandbox so I don't see how they belong in the same exploit category in the context of which you are mentioning it. Now if you grant an applet permission to access your PC [explicitly or by messing with your java security settings], then it's your own damn fault. Likewise, if you install a java application, it's like installing any application...you better know what you are installing and what the program's true intentions are when you execute it.
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
Slashdot has jumped the shark. Bow before your corporate masters.
Remember that the space in the line above was put there by Slashdot software.
--
Bush: Spending money the U.S. doesn't have to try to make his administration look good.
Add in all the other critical systems that need any patches first "certified" by a vendor (i.e.: medical, manufacturing, "plant" operations software and/or hardware) and this little exploit could be a real mess.
I guess this is another reason to say no to electronic voting.
"I hate to advocate drugs, alcohol, violence or insanity but they've always worked for me" - HST
Check out the setting "network.automatic-ntlm-auth.trusted-uris". It will automatically send your Windows credentials to any URL listed in the comma-separated list.
æeee!
They're written in the notorious "buffer overflow" languages, so most people will have these problems for the near future.
Meanwhile what you can do is to run each program as a different more restricted user.
On windows XP, run IE with using a shortcut with a runas with savecred (you should modify those in the start menu and quick launch too), and set it so it runs using a very restricted account. The restricted account should either have access to your bookmarks, history and temporary files, or you should run it so it changes to the restricted user's home directory and you allow your main account access to the restricted user's home directory.
Look up the runas command for the options. It'll be more convenient on WinXP since there's the savecred feature.
On UNIX, I think you can use sudo or something similar. Sudo to a restricted account and then run the browser.
This way, if your program gets exploited it can only ruin what the restricted user has access to, it can't easily touch the rest of the system.
Exploits can still theoretically touch the rest of the system since there's stuff like shatter attacks (for windows, not sure about KDE/GNOME), and I'm sure display drivers have bugs of their own and they run in ring 0 (on windows).
But if you do this it raises the bar significantly.
There are other options if you're really paranoid and don't mind the extra effort.
yesterday it was scroll bar vulnerabilty,today is Jpeg Vulnerability....
Whats it going to be tommorow?
Computer Switch ON Vulnerabilty? Iam not going to be surprised if such a one comes up.
Add to this my dial up connxn!
Right now I use Win 98 ,Firefox .
BTW,what are the updates for Firefox vulnerabilities and where do I find it?
I think the next generation Download Managers should have these features:
* Select s/w for patch update search - Eg: windows,office,IE,FF,Winamp. * Automatically queue them up and download.
I think thats the only way I can manage to download all patches for all s/w I use.
The Fun of Internet is only so long as your computer does not get infected.
And it was carefully timed. The more fear and confusion on the web, the less attention will be given to the important issues, namely the election coming up in. . . How Many Days??
For goodness sake, Gates is part of the Homeland clique; he's spent time in planning meets with Homeland honchos to better determine how Microsoft could 'help out'.
Not that it actually matters. This is now merely an internal struggle between pawns; Kerry is just as much a dangerous bastard as Bush. .
--That is, (pardon my editorializing), both parties, despite their surface disagreements, are pushing for an escalation against Iran. This is the exact same technique as was used against Iraq. There is almost no difference.
Run a bunch of bullshit stories about the 'sudden' threat of Iranian nuclear intentions to gain a big, sloppy, predictable and easily directed emotional response from all the American twits and drones.
Israel complains and whines that the UN should do something, despite the fact that there have been illegal nukes in the arsenals of the Promised Land for decades. Double standards, anyone? (Oh, I'm sorry. I forgot. The Zionists are the Good Guys. They're allowed to commit genocide so long as they own all the news papers and have it called 'anti-terrorism'.)
The UN is bullied into creating a half-assed directive by which Iran can be observed, tested and punished if they don't meet some arbitrary dead-line.
It doesn't matter what the heck the actual findings are when the UN inspectors are sent in, the American media and the psychopaths in government will simply tell lies and spin the hell out of everything to get what they want, which is. . .
Cluster bombs in Iran, dead children, de-stablized government and CIA installed despot. Just like in Iraq. --And needless to say, all Americans between the ages of 19 and 38 carrying machine guns.
The most ridiculous part is that EVERYBODY WILL FUCKING FALL FOR IT AGAIN. --Because Americans have been the subject of a century long campaign to make them poor, ignorant, fat, drugged, and retarded.
A nuclear bomb in some American city set off by the Mossad or CIA in yet another false-flag operation around election time would be a good way to spur things along if this JPEG bullshit driving people away from the web doesn't prevent enough communication and public discourse.
We'll see.
-FL
That only applies to outlook, not outlook express. That means you need to have a copy of Microsoft Office to get Outlook 2003, as no version of Outlook Express supports that.
Can you PROVE this JPG that crashes my IE on my fully patched xp system crashes *because* of this vunerability though? I mean, it could crash it if it WAS fux0red right? This isn't exactly proof of an exploit is it? It opens in my picture & Fax viewer if I save it to my desktop and double-click it there...
Visit London Scalextric Club
A lot of posts around here are running around acting as if each individual Microsoft program has a problem specific to that program which is entirely false. Just like with the libPNG exploit, this exploits a graphics library: GDI+. It's the library's fault why this affects so many programs: they used the library in all of them.
Exactly, you need Outlook 2003, which means MS Office. Most people use Outlook Express, which comes with MSIE, and Outlook Express does not support that.
For info on exploits badcoded Note: This is not a 0day site, it is real info for exploit writing.
There are too many OS/App combinations to patch for. Microsoft should have released a and downloads the patched files you need.
The current "tool" only tells you if you have vulnerable files and redirects you to Office Update.
Up, Up, Down, Down, Left, Right, Left, Right, B, A, START
When we were leaving his room he gave us this advice: "Beware the JPEG virus". It was 9 years ago and he was quite old and sometimes he acted/talked nonsense so we made fun of his advice (we thought: since it was not an executable file, how could it bring a virus): but he was right and we were wrong..
This message doesn't need a sig
Are the moderators in question stupid, or just friends of yours?
Mozilla uses a number of Windows API calls to do its job. Amazingly, on Unix systems, it uses libraries only found on those systems. On my gentoo linux system it's linked to libpthread, libX11, and a bunch of other X libs. I'm not sure what it's linked to on Windows, because I don't have a tool for that (be nice if 'doze came with one eh? I used to have one but I forget what it was called) but I suspect the situation is much the same.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I'm curious about the Efficency of their touted NX bit which is said to prevent buffer overrun scenarii and is only included in XP-SP2. anybody tested this ?
--- Back to the trees, back to the trees !
"The most ridiculous part is that EVERYBODY WILL
Exactly right: The U.S. government has bombed 24 countries since World War 2. The system of violence works by creating fear in U.S. citizens so rich people can profit. The problem happens largely because the U.S. government has a break-the-law department called the CIA. Secret government is not democratic.
This is the 55th serious vulnerability in IE found in two years. I've often wondered: Are Microsoft programmers that sloppy, or were the bugs put there to help with U.S. government surveillance? Why did the U.S. Department of Justice let Microsoft off so easily for its anti-trust violations?
Download patches from technet.microsoft.com through a proxy server.
I bet someone else has made this comparison, but Snowcrash anyone? Looking at a viral image...
Some links missing from the original post: Windows Update and Office Update. Now that wasn't so hard, was it?
We push the updates out so an admin doesn't have to visit every machine. Now an error box pops up when a regular user logs in that says that they have to be admin to actually run the detection routine that was auto-installed. So now an admin has to run around to each machine.
Yeah you can rewrite libjpeg with a different runtime that is consider 'safer' but it will still suffer if the design patterns are the same. You can write a new libjpeg in cyclone but if the underlying reason the bug was exposed is not fixed then cyclone won't help. The new libjpeg will still malfunction maybe in not such an egregious way but still busted.
I see this pop up all of the time: People try to pin the problem on C/C++ instead of the design pattern which lead to to the exploit. You can write bulletproof code in C/C++. You can write code that can be exploited in Java/C#/Perl/etc. No runtime is safe if the code is bogus.
Comment removed based on user account deletion
I've come up with the ultimate computer exploit, ever. You make a jpg of goatse, with this exploited code in it. The exploit code runs an application which activates any webcams, if present, and starts taking pictures, which it then sends back to the 31337 h4x0r.
Think of it, an entire gallery of horrified faces, kinda like in The Ring when people's faces went all nasty after watching the video.
It seems like every new "update" from MS creates a whole host of new security prolems to worry about.
And i couldn't seem to find a full copy of the proof of concept, just some edited versions :o(
[Fuck Beta]
o0t!
I used these patches on my xp box and it works greeeeaaaat now:a /linux /core/1/i386/iso/
http://download.fedora.redhat.com/pub/fedor
Wow, a buffer overflow bug is part of a vast conspiracy. I assume the other buffer overflows recently found in libpng and other OSS libraries was part of the conspiracy too? Let me guess, they were bugs planted by the CIA and NSA to keep us swearing at our computers so we don't notice the black helicopters overhead?
You are entertaining though!
And it is not even the latest version.
That's for me the best browser ever.
We are Turing O-Machines. The Oracle is out there.
if you can't have pictures or movies, consider the old option: ASCII porn. Of course, if Notepad has a security hole, you are SOL.
... there are still people out there who are still using Monkeysoft [Microsoft] software. After the thousands of articles on the net explaining how bad and insecure MS software is?!? Hmm... that's hard to believe.
Oh well... if they continue to use M$ software, then, they deserve to be hacked/crippled.
Hopefully, they'll learn their lesson and dump Windows in the garbage where it belongs.
Long live Linux!!!
Best idea EVAR!
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
Microsoft is spelled with an s, not a dollar sign.
In early dialects of BASIC, many of which were published by Microsoft, all names of string variables ended with '$'. So if you did LET M$ = "Microsoft" earlier in the program, then M$ would in fact refer to Microsoft.
Hence, SP2 was released before other patches.
When Microsoft releases a patch for one product, black hats analyze the patch to determine the exact nature of the vulnerabilities that remain unpatched in Microsoft's older products. If the black hats get a working exploit into the wild before Microsoft backports the patch to its older products, then say hello to 0-day.
JPEG *may* be done right. Looks like "they" missed something in libPNG
0 8/05/0415206&tid=156&tid=172&tid=1
http://developers.slashdot.org/article.pl?sid=04/
And guess what? Your trying to discredit the idea through ridicule is a part of the same 'Vast Conspriacy'. But did you take orders? Did you recieve an envelope from a shadow figure? Of course not! But this doesn't alter the fact that you are a part of a large force of awareness, and that you are affecting how the world percieves events. Get enough people doing as you do, and the world looks the other way. Amazing! And where is the 'Vast Conspiracy?'
Oh, it's there. It's just far more effective than most people give it credit.
Let's take the current example: --All it takes are people in the news force with Computer Bug Stories kept in waiting for release at appropriate times, and then to do so with the appropriate level of alarm and coverage. Instant cultural change is affected in very controlled and predictable ways. If I was in charge and evil, that's definitely how I'd do it.
Or are you suggesting that news agencies are not massively influenced by powerful people with agendas? Do you really believe that?
I certainly hope not, because there is ample proof to the contrary. Do you want some links? There are lots. --Look up the most recent story about Canwest Global in Canada, which owns much of the news pie in Canada for a brief example.
Are you trying to tell me that the world presented to you by your TV and your government is an accurate picture of reality?
Only a fool would answer Yes to that, so my next question is, "How much of that presented reality is false?" Ten percent? Thirty percent? Eighty?
The problem is that the loose threads of the make-believe reality are many and very easy to pull on. Those who chuckle lightly at this assertion and who find me, 'entertaining' are those who have never pulled a thread or questioned a teacher, or stepped outside the socially accepted bounds in their lives.
And the reality of the matter is that it is far more likely that such tactics are used than not.
To pull out Occam's rusty razor, one can ask, "Which is more likely: That sneaky tactics and social manipulation are used by greedy, manipulative people, or that everybody is good and honest?"
Or as I like to put it; "So you don't believe in Conspiracies? Fine. How about if I change the word; Do you also not believe in Corruption?"
The fact that you are reacting in the way you are is evidence that you are one of the mind-controlled. Take a few minutes to ask yourself how such could be possible; explore the notion, don't just cast it off, and see where that takes you. (How much time every day do you spend staring at a TV screen with your eyes wide and your brain hypnotically opened?)
Do you want some links about how that works? Or would you prefer to be 'entertained'.
Truth or lies. Pick one. Your life depends on it.
-FL
Indeed, Netscape, which also uses that code for its JPEG decoding had that flaw (but it was fixed earlier, and of course, it did not make the news nearly as much as this Microsoft issue, owing to its much smaller market share.)
http://www.openwall.com/advisories/OW-002-netscape -jpeg/
-- Samir Gupta, Ph. D. Head, New Technology Research Group, Nintendo Co. Ltd., Kyoto, Japan.
OK, I'll give you that one. If you didn't laugh you'd have to cry!
At least now the matter is in the daylight, rather than being hushed-up.
Je fume. Tu fumes. Nous fûmes!
No, they are known as DLLs (dynamic linked libraries) so that Microsoft can claim they are a new invention. Before MS was even a twinkle in Paul Allen's eye I was writing code that used RTL routines (that's "Run-Time Libraries" to you youngsters, which are different from compile-time routines such as those in the OTL (Object-time library).
DLLs are just a phenomenally half-assed implementation of an idea nearly as old as programming itself. The RSX-11m and RSTS/E operating systems, to name just two examples, did it better before Microsoft existed.
If you clone the idea of a DLL, you are cloning the half-assed, badly supported implementation of shared run-time code that Microsoft stole from Digital Equipment Corporation.
The only new idea anyone at MS ever implemented was "Microsoft Bob".
Hmmm. Your ideas are intriguing to me and I wish to subscribe to your newsletter.
eSolutions = dope.
I've come up with the ultimate computer exploit, ever. You make a jpg of goatse, with this exploited code in it. The exploit code runs an application which activates any webcams, if present, and starts taking pictures, which it then sends back to the 31337 h4x0r.
Think of it, an entire gallery of horrified faces, kinda like in The Ring when people's faces went all nasty after watching the video.
--
I'll take anal bum cover for 500, Alex... That's "an album cover!"
OMG, do you realize how sickeningly appropriate your .sig is just now!?!?
Welcome to the Panopticon. Used to be a prison, now it's your home.
For curious folks who have never heard of paracetamol, it's a popular french brand of headache/pain/fever/whatever-reducer, equivalent to Tylenol.
Use lynx/offbyone/opera, maybe those are OK.
Maybe they don't have this exploit present in their JPEG rendering routines....
mozilla and firefox are capable to do kerberos SSO. NTLM SSO is flawed anyway. Try about:config (type to the location bar) and set the config value for: 'network.negotiate-auth.trusted-uris'. For example set it to 'https://somehost.somedomain.com' to enable SSO Negotiation for that domain.
A picture is worth a thousand exploits.
The libraries in question were not programmed by microsoft, they're generic code to read JPEG files, made by the JPEG group or however they're called.
I have read this sentence countless times and to be honest I completely fail to understand the humour thereof. Could you please provide any hint? (Somehow, I know I will deeply (pun not intended) regret it...)
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
I've *always* scanned ALL files -- because even in the DOS era, you could never rely on the extension and the functionality having anything to do with one another. (Remember XTreeGold for DOS? the *.XTP files are *executables*, called by XTG.EXE as needed.)
:(
Occasionally even then, the front end of a virus was named whatever.com and was itself "clean" (so would be passed by most scanners), but its job was to call the REAL executable, named something like whatever.dat, which contained the virus code (and if you limited your scanner to known-executables, it would be missed). I have personally seen a virus carried in the whatever.dat part of some purported utility.
As to viruses in image files, it has always been theoretically possible to execute code placed in a GIF's comment field, and I vaguely recall there was a similar exploit possible for JPGs. The only reason this GIF exploit was never seen in the wild is because in the olden days, you couldn't count on everyone using the same viewing software; there were dozens of DOS image viewers, no two of which worked alike. NOW, a virus author can pretty much count on the majority of users using such files thru some combination of Windows, IE, and M$Office, so such formerly-obscure tricks become worth the bother. Much more so when M$ kindly offers malware authors a leg up like this.
~REZ~ #43301. Who'd fake being me anyway?
Important part is in bold.
On that site are 3 important images: AlexPaul2, AP3, and AP4. All 3 display correctly in Firefox, IrfanView, and Windows Picture and Fax Viewer. The only problem seems to be with IE.
With IE:
AlexPaul2 - correct
AP3 - hues are wrong, red and blue appear to be switched
AP4 - CRASH
All of these use 3 components in the scan, so there are 6 bytes total for that portion of the SOS block.
AlexPaul2: 0100 0211 0311
AP3: 0100 0311 0211
AP4: 0311 0211 0100
I have tried switching the order of these to each other and the problem absolutely stems from here.
AP4 to AP3: 0100 0311 0211 - there is a red/blue hue difference between most programs and IE.
AP4 to AP2: 0100 0211 0311 - there is no difference between the programs and IE.
AP3 to AP4: 0311 0211 0100 - IE CRASH!
AP3 to AP2: 0100 0211 0311 - there is no difference, but the red/blue hue switch appears in BOTH normal programs and IE. In other words, AP3 appears the same in IE with both settings.
This last result makes me think IE is somehow trying to re-order these in ascending Component ID order, and this causes the errors.
One thing the JFIF document I found doesn't mention is that the order of these components matters. Changing the order always makes the jpeg appear different (sort of like a newspaper comic with the inks misaligned) in non-IE programs. If anyone knows more about this, please respond.
I know that Microsoft has already cloned the idea (though I wouldn't call them amateurs--even if their software is hardly proffesional, I think at least some of their developers are actually quite competent programmers). The idea itself is at least as old as the Michigan Terminal System from the 60s, so basically everyone has already cloned it, including GNU in the 80s and Microsoft in the 90s, but than was not my point. I wasn't asking whether they had discovered shared objects and dynamic linking, but whether they had discovered the advantages thereof, which in that context obviously means the security and patching related ones. As Julesh has pointed out, they apparently have not, so as it turns out my question wasn't so "troll" as someone thought while mistakenly rating it as such.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Apparently the advantages of dynamic linking (at least the security and patching related ones) must not have been the whole point of using DLLs by Microsoft.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
This is really hard to believe. Do you know the rationale (or should I say irrationale?) behind this unbelievable and unheard-of practice?
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
The solution to this problem? How about ONE SIMPLE ERROR CHECKING ROUTINE to watch for an incorrect value in the COM field length?
And here's the kicker: remember the problem Netscape had with jpeg files, 4 years ago? This is the same exact thing.
Unfortunately, I've noticed the same thing -- on my lowly P3-550/Win98, Moz 1.5 is WAAAAY slower at rendering pages, both text and images, than are IE5 and NS3 (the latter being my everyday browser). On my near-identical WinXP box, same thing -- Moz 1.5 renders pages much slower than IE6 or NS 3/4/6.0. (Both boxes have 1GB of RAM, so THAT is not the issue. And we won't even look at relative startup times.. egads!!) Oddly, Firefox was even slower than Mozilla.
I have no idea why this would be, and was both surprised and disappointed at the discovery. Especially since I detest IE..!!
Someone with a faster machine might not see the difference, tho. And I've noticed there is often a serious chunk of wishful thinking when FOSS is involved, which does nothing toward improving FOSS software. You gotta admit your bugs exist before you can fix 'em.
~REZ~ #43301. Who'd fake being me anyway?
Hardware manufacturers just need to design the CPUs to use a separate area for the return address stack that isn't cluttered with data. What is the problem with doing this?
ISC has published a scanner to identify vulnerable files. Has both a GUI and a command line option. Use a little creative scripting and you can use this to find vulnerable hosts on your network. Patch early, patch often...
Yes, my only tool is a hammer. And you're starting to look like a nail.
Was going to say "Just looking at the source code caused a buffer overflow" but I thought of something better. How about "Odd that the bug was fixed in SP2 but no one talked about it until after SP2 was released - JPEG viewing being such a common activity a patch should have been released long ago." I hope that was a valid point but if not, well I might just say "Do you smell what the Rock is cooking?"
Inspection of the source code leads me to believe that I should scan jpegs before viewing. I don't trust patches. It seems there is a lot of suspect software needing patching - how do I know if I patched everything?
Is it enough to look for FF FE 01 or FF FE 00 around the header?
Know your pads. One time pad: good for cryptography. Two timing pad: where to take your mistress.
Are you kidding me? JPEG's? Seriously, how hard is it to render an image?
I ask in all sincerity because I don't know. But I do have enough code experience to realize that a NON EXECUTABLE program (ie: data) shouldn't be a source for an exploit. I mean c'mon. It's like we've learned nothing over the last 30 years of computer engineering.
Very interesting idea. Seriously. Drop me a line if you implement it or know anyone who does. I might use it in a feces recognition study.
And still the most horrifying would be the faces not horrified... "I am a proctologist! I swear! That is why I was not horrified!" Yeah, right!
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
crash my computer ...
it loaded in about 1/2 second and i didn't even notice because IE autoresized it to fit the screen
Are you seriously suggesting that anyone might have taken male rectum and colon for female genitalia with cervix? And penis for clitoris? Seriously? (Thanks, I have just lost my apetite. And lust, for that matter.) This is 21st century and one doesn't have to "be with a girl" (by which I assume you mean cunnilingus) or "be with a man" for that matter (by which I mean anilingus) to know the human anatomy well enough to know the difference between anus and vulva. There is a reason we have Wikipedia and Google Images and that reason is universal access to human knowledge, without the need for everyone to reinvent the wheel and rediscover said knowledge over and over again, like it was the case in previous, less fortunate centuries.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
IE appears to start up fast because most of its library code is already in memory (it was started during the Windows boot process). Third party developers can't compete with that. For a more meaningful comparison, enable Mozilla's "live in systray" thingy, then once the PC has finished booting, open it and you will find it appears quickly.
Also, I believe that Firefox doesn't use, or doesn't have access to, the same fast rendering OS-level libraries that IE uses (although this could, of course, be FUD).
FWIW I find the latest Firefox to be nearly comparable in speed to IE (what's lost in delays is made up for in other ways, AFAIC)
After reading this thread I came (pun not intended) to the conclusion that we are all losers with no life. And even writing it I just *had* to made another lame ass (pun not intended -- no, I did it again!) joke! God, how I suck...
Actually, with XP SP2, Outlook Express also does NOT load images by default.
My mom complained after installed SP2 on her machine. I was very pleased to see that Microsoft is at least improving _some_ things.
I generally forgive and make allowances when I can actually manage to wade through broken grammar, screwed up wording and bent idea structures to find some germ of meaning, but in this case I can't figure out at all the message being attempted here.
Honestly. Every layer of pre-filtering I need to apply to an incompetent post moves my eyebrow up another notch on the, 'Who is this loser?' scale.
-FL
It also crashes Jasc Paintshop Pro 7.04 so I guess you cannot blame Microsoft for that one!
Comment removed based on user account deletion
No, your criticism is invalid because the Karma Bonus is a form of rating a.k.a. self-moderation. You have been giving all of your comments the +1 Karma Bonus. Unless you are sure you have something amazingly interesting to say, it is better to post comments at a +1 score by clicking the "No Karma Bonus" option before you post. If you choose the Karma Bonus without a very good reason, you will have to learn to accept the risk of being modded as "Overrated". Be prepared...
Occam the monk who created his 'razor' in order to prove the existence of God? THAT Occam? Is THAT the 'air-tight' system of logic you want to use here?
I was only joking when I pulled Occam out in my post, but since you want to raise the same thing here, well, I asked first, and I haven't seen any answer yet. In fact, I've yet to see any evidence that a single point or argument I've made has been considered.
The question you pose:
That's your straw man, not mine. While I do write with a lot of thunder, there is sound logic and thought behind my words.
If you do bother to go back and read what I DID say, and if you still have objections, then please do come back and present them. --But I would request that you don't deliberately mis-interpret my words or twist my intent.
-FL
Yes, now I remember. I've read about in the Goatse.cx article on Wikipedia:
So indeed, your comment was not only funny but actually encyclopædicly accurate at the same time--now I understand it.
It probably depands on whether we might call penis a door. That's an interesting question, actually, even more philosophical than anatomical in nature, considering the social role of penis.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
It surprises me that all you expreet nerd-nics always want to out-slick the Exploiter, Outloaf Express and msn g-wiz, bill, give us a break, would you please, but nobody seems to notice the Kodak Imaging for Windows lurking in the shadows of every image since 1997 to leave good old ONE MICROSOFT WAY headed for everywhere else fastfat.
Congratulations! You've got photos from AOL chock full of bugs Plus! Extreme YAHOO! the phuck do you think you are sending e-mail to:/????">>(edit)SBC Red Light District Prodigy PIM PING MAILLINK
Best of Web Hookers & Johns PROSTITUTION.CHM:%1
Solicitor General E-STUPID:%2Idiot[PROOF]sheet?%%
I know about both IE's half-loaded-all-the-time and Moz's systray thing... Moz still starts slow, tho that does improve matters if one can use it. (It's too much of a resource hog to do that on any non-NT Windows.) That's why I only mentioned startup in passing, cuz there's no good way to compare 'em, given IE's native cheat. -- But I was still amazed and disappointed at how slow Moz is at rendering stuff... even given guaranteed equal LOAD times, like pages from local disk. :(
I haven't looked at Firefox in a couple versions, tho I suppose I should do so again, since I actively discourage my clients from using IE.
I suppose I could do with browsers what I do with modems... "You can use any one you want, but I'll only support [brand of MY choice]". Makes 'em switch every time!
~REZ~ #43301. Who'd fake being me anyway?