Slashdot Mirror

← Back to Stories (view on slashdot.org)

Public Exploit For Windows JPEG Bug

Posted by michael on from the here-comes-the-worm dept.

Khoo writes "A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software. Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file." We mentioned this earlier.

8 of 509 comments (clear)

  1. Re:I cannot help but grin ... by Pieroxy · · Score: 5, Insightful

    but I have a strong suspicion
    Everyone is entitled to its own suspicion.

    The level of polish and craftsmanship of open source software
    As opposed to the level of polish and craftmanship of Microsoft's products, of which you know nothing. So you are comparing apples to ... well something you just don't know. Good luck for being objective.

    --
    Write boring code, not shiny code!
  2. Re:Almost... by lphuberdeau · · Score: 5, Insightful

    Browsers are not the only problem. Many companies use outlook as a mail client. Someone could simply include a jpeg image to the mail and since images are loaded by default, they would infect everyone. Seriously, the only way around this is to update software. Microsoft already has a patch for this I think.

    --
    Qui ne va pas à la chasse n'a pas de gibier
    PHP Queb
  3. Re:Patch is Already Out by darkmeridian · · Score: 4, Insightful


    This is dumb ownership, if this bug becomes prevalent.

    Phew... I was worried there for a second. It's a good thing we can rely on Windows users to not be dumb, otherwise the Internet would be bogged down in viruses, spyware, and spam.


    Well, most users are, uh, stupid. Even if we used Linux, in order to make it simple enough to use, there will be vulnerabilities. For example, getting people to use "sudo" with a limited account makes sense to you and me, but might confuse the heck out of some newbie in Tennessee.

    So it is not a Windows-specific problem. If Linux ever becomes popular as a desktop platform, we will then have dumb Linux users.

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
  4. hmm someone predicted this by minus_273 · · Score: 5, Insightful

    about a year or so back there was a slashdot story about i think macafee researchers talking about viruses being transmitted over images. Everyone called it stupid market speak from a firm trying to sell more AV products by scaring people with somthing that is not possible. I think we all need to offer them an apology. I think this is a bizzare parallel to when people used to joke about email viruses way back in the min 90s. Kind of sad that it is real now. It will be even more so when images are used for exploits too. Though, i suspect those at most risk are those that go to websites looking for lots of images...

    --
    The war with islam is a war on the beast
    The war on terror is a war for peace
    1. Re:hmm someone predicted this by Anonymous Coward · · Score: 3, Insightful

      Yeah, it's pretty ridiculous that virus scanners need to scan pretty much EVERY file on your hard drive now. It started with just .EXE and .COM files, back in the DOS days. Then there was that batchfile virus (which used DEBUG)--add .BAT. Windows caught on--add .DLL. Then came macro viruses--add .DOC. And the AV companies caught on and decided to scan compressed files--add .ZIP and nowadays even .RAR. Then Windows started including scripting--add a half-dozen extensions there. Some JavaScript and Active-X-based exploits--add .HTML. Then there were some WinAMP and Windows Media Player buffer overflows--add .MOD and .MP3. Now we've got .PNG and .JPG.

      There really is no difference between "data" and "code" these days. The worst is when programs, which are registered for dozens of filetypes, ignore the extension and instead look at the content of the file to determine what to do with it. (For example, you can rename a .MOD file as .WAV and it will still play in WinAMP.) So that not only increases the number of extensions to scan, but requires that files with those extensions be scanned in a bunch of different ways.

      It's sad, really.

  5. Re:Almost... by enigmals1 · · Score: 5, Insightful

    Switch to Firefox?! Why, what's that gonna do for you? The exploit is in almost every major app Microsoft makes that handles any graphics, including Windows itself, .Net Framework, all Office products, etc.

    People are so quick to blame IE when there's so many other products they can go after. ;)

  6. Re:THIS HAS NOT BEEN FIXED, url inside by Jan-Pascal · · Score: 4, Insightful

    Confirmed on WinXP SP2, all Windows updates, all Office updates. OK in Firefox (1.0PR), but crashes IE 6. And it's not even a goatse link: http://sylvana.net/test/AP4.jpg

  7. Re:Almost... by Megor1 · · Score: 3, Insightful

    Just set Internet Explorer to use an invalid proxy, and set the user policy that they cant change it. Now the user can't use IE on the Internet at all.

    --
    Everyone that disagrees with me is a paid shill