Slashdot Mirror
Public Exploit For Windows JPEG Bug
Khoo writes "A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software. Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file." We mentioned this earlier.
No. And neither should you.
So much noise about an ordinary Windows insecurity...
.NET core is the last Microsoft's chance to correct its public image as the 'most insecure software vendor'.
IMHO, Longhorn with
Another question: when will Longhorn be out before Duke Nukem Forever?
Sort of like it was dumb ownership to leave your SQL machine open to the Internet, allowing port 1334 open?
Or it was dumb to open any of the attachments claiming to be from your administrator sending a passworded zipped file with some "clean-up tool" attached?
We have proven that users aren't the one's responsible enough not to do something dumb. And, SP2 is still undergoing testing in many office environments.
but I have a strong suspicion
... well something you just don't know. Good luck for being objective.
Everyone is entitled to its own suspicion.
The level of polish and craftsmanship of open source software
As opposed to the level of polish and craftmanship of Microsoft's products, of which you know nothing. So you are comparing apples to
Write boring code, not shiny code!
Browsers are not the only problem. Many companies use outlook as a mail client. Someone could simply include a jpeg image to the mail and since images are loaded by default, they would infect everyone. Seriously, the only way around this is to update software. Microsoft already has a patch for this I think.
Qui ne va pas à la chasse n'a pas de gibier
PHP Queb
This is dumb ownership, if this bug becomes prevalent.
Phew... I was worried there for a second. It's a good thing we can rely on Windows users to not be dumb, otherwise the Internet would be bogged down in viruses, spyware, and spam.
Well, most users are, uh, stupid. Even if we used Linux, in order to make it simple enough to use, there will be vulnerabilities. For example, getting people to use "sudo" with a limited account makes sense to you and me, but might confuse the heck out of some newbie in Tennessee.
So it is not a Windows-specific problem. If Linux ever becomes popular as a desktop platform, we will then have dumb Linux users.
A NYC lawyer blogs. http://www.chuangblog.com/
about a year or so back there was a slashdot story about i think macafee researchers talking about viruses being transmitted over images. Everyone called it stupid market speak from a firm trying to sell more AV products by scaring people with somthing that is not possible. I think we all need to offer them an apology. I think this is a bizzare parallel to when people used to joke about email viruses way back in the min 90s. Kind of sad that it is real now. It will be even more so when images are used for exploits too. Though, i suspect those at most risk are those that go to websites looking for lots of images...
The war with islam is a war on the beast
The war on terror is a war for peace
Is there a tool to proccess jpg files searching for malicious content?
Switch to Firefox?! Why, what's that gonna do for you? The exploit is in almost every major app Microsoft makes that handles any graphics, including Windows itself, .Net Framework, all Office products, etc.
People are so quick to blame IE when there's so many other products they can go after. ;)
well... "know nothing" is not really true counting the numerous holes, fixed holes and whatnot, and also the rather long response times for some of them...
yes i know open source software also has numerous bugs, but as its "open" source the flaws are usually much faster found and fixed within hours (if possible)
-- Karma: beyond good and evil - mostly affected by posting political
Open source software has plenty of bugs, duh.
In fact, there are similar problems with parsing image files on Linux as well. Except that Windows is actually more secure, because it has auto-updates turned on by default from XP2 onwards, and stack protection type patches built in by default. On Fedora you have execshield, but that hasn't been fully upstreamed yet so only a small subset of Linux users are protected. I don't know of any distros that download and apply security patches with no user intervention out of the box.
(recall OS X's open source roots)
Even if open source software was perfect (which it isn't) large parts of MacOS X are not open source. Most of the important bits aren't, in fact. Surprise surprise, the Mac has had serious URL handler exploits which are like this JPEG problem: arbitrary code execution via a web browser. Except in the case of the Mac URL handler problems it was a design problem not just an unchecked buffer, to do with insecure-by-design features. D'oh. ActiveX all over again.
So, no, I don't trust Apple any more than Microsoft when it comes to security. How can you? They are both proprietary OS companies, with all the issues that implies.
can never be duplicated by Microsoft's paranoid and closed-doors efforts
These days Microsoft have dedicated programs scanning their code looking for suspicious patterns, security testing teams, and give their developers extensive training in how to write secure code. These are advantages not available to open source coders. If anything I'd say they're close to taking the lead in absolute terms for security (by which I mean, assume equal market share for Windows, Linux, Macintosh - which is more secure).
Still this may also be very good grounds for a class action against MS, as they are not honouring a users request NOT to use IE.
That anti-trust case will be raised by 2006 and resolved by 2014, by which time the successor to the successor to the successor of Longhorn will be released, with a few more dozen anti-trust issues and another slap on the wrist from the DoJ.
Kjella
Live today, because you never know what tomorrow brings
Confirmed on WinXP SP2, all Windows updates, all Office updates. OK in Firefox (1.0PR), but crashes IE 6. And it's not even a goatse link: http://sylvana.net/test/AP4.jpg
That's pretty low man. I've coded plenty before and I've never encountered an instance where I can't check to see if a buffer overflow has occurred. I can't help but feel that all of these exploits are just sloppy programming. That is, they shouldn't exist and even the most basic test would show a problem. I don't know what kind of excuse you're trying to make for the programmers but your cowardly incorrect one sentence observation doesn't give me any insight.
Everyone seems to be expected infected pr0n or e-mail... it's so much simpler than that it's been scring me since this exploit was announced. I'd say about 2/3rds of the corporate computers in this country are still vulnerable, and enough of them visit MSN or CNN.com on a regular basis for a simple banner ad to give someone a REALLY nice assortment of zombie PCs.
Pavlov's Dog ate the bell, and now he's barking at Schroedinger's cat all the time... -Me
I may be a "dick", as you put it, but at least I finish my posts. Whatever you can infer from all you cite is by definition inaccurate, at best.
Wait until Linux is mainstream, is installed on the computer of quadrillions of unknowledgeable people, and represent 80% of the market. Then, and only then, it will be the target of numerous hackers and virus writers. And they will have a nice and blind audience of stupid computer users.
Then, we will see if Linux is more or less robust than Windows. Before then, you (we) can at best speculate.
I realise that you're just an argumentative dick
I just can't stand blatantly ignorant allegations that are modded interesting or insightful. If that makes me a dick, then so be it.
Write boring code, not shiny code!
Why anyone would use msn messenger is beyond me
You're confusing MSN messenger with Windows Messenger. I've been using MSN Messenger for some time now, and I've never seen the amount of spam that I used to with Windows Messenger. And there's a better run line that removes the entire package from a system never to be seen again which can be found here http://www.dougknox.com/xp/tips/xp_messenger_remov e.htm.
For those of you acting all "chicken little" about an exploit that is not only fixed, but can be scanned for as malicious in several popular Anti-Virus Products as of the end of last week, following is the command that I have successfully used to remove Windows Messenger from my system. From a Run Dialog Box, copy & paste the following:
RunDll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove
"The truth points to itself." - Kosh, Babylon5
The fact that a fully patched IE still crashes on this JPEG (and others, I'm sure) is inexcusable.
I can somewhat understand that their previous JPEG implementation had problem(s) with unchecked input. In a perfect world, programmers would be better at validating input, but we all know the rush to get SW out the door. These bugs can (unfortunately) slip by.
However, after a highly public and exploitable flaw is found in their JPEG parsing, they should have made damn sure that the 'fixed' version is rock solid, validating every single bit of an image. What this says to me is that they found the one bug that caused the initial exploit, then didn't bother to see if there were others. Lazy and unacceptable.
put a null text file in place of msn messenger and make it read only, that way nothing can auto-repair your "broken" windows messenger install.
Snowden and Manning are heroes.
This is standard fare for Microsoft. They patch the particular exploit, rather than the vulnerability that allowed it.
Fatal mistake, and one they make VERY often. Remember all of the RPC viruses we had one after the other? Same vulnerability, different exploits, one bandaid after another.
I despise it when doctors treat symptoms rather than the underlying problem. This is standard operating procedure for Microsoft.
Lose Weight and Feel Great with Isagenix
Just set Internet Explorer to use an invalid proxy, and set the user policy that they cant change it. Now the user can't use IE on the Internet at all.
Everyone that disagrees with me is a paid shill
If your girlfriend puts that much faith in IQ tests, she's retarded :P
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"