Slashdot Mirror

← Back to Stories (view on slashdot.org)

Public Exploit For Windows JPEG Bug

Posted by michael on from the here-comes-the-worm dept.

Khoo writes "A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software. Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file." We mentioned this earlier.

20 of 509 comments (clear)

  1. Patch is Already Out by darkmeridian · · Score: 5, Informative

    The patch for this one is already out. Furthermore, SP2 systems do not have this vulnerability unless Office is installed. SP2 by default has auto-updates enabled. And for Office to be exploited in a SP2 system, the user has to open the file manually.

    Code is always buggy. Even Firefox had a JPEG vulnerability of its own. This is dumb ownership, if this bug becomes prevalent.

    --
    A NYC lawyer blogs. http://www.chuangblog.com/
    1. Re:Patch is Already Out by Gzip+Christ · · Score: 5, Funny
      This is dumb ownership, if this bug becomes prevalent.
      Phew... I was worried there for a second. It's a good thing we can rely on Windows users to not be dumb, otherwise the Internet would be bogged down in viruses, spyware, and spam.
    2. Re:Patch is Already Out by maxwell+demon · · Score: 5, Informative

      Well, you know, that's called a software bug. A software bug is by definition something you didn't intend.

      Actually, it's a buffer overflow. A buffer overflow means that there is some area of memory reserved for some data, and then there's more data written to it than fits in. This causes some other data to be overwritten; if that other data happens to be a return address (basically a number which tells the computer where to continue after finishing the current task), then you can get the computer to execute arbitrary code which is in memory - including the code you just conveniently placed into the memory as "image data".

      I don't know details of the JPEG image format, but with a simple bitmap format, a buffer overflow might happen as follows:

      The image contains the number of pixels, and the bytes per pixel. The program takes those numbers, multiplies them, and reserves that much memory to take the pixel values. Then it reads the rest of the file as image data into that memory.

      Now, this simple program for this simple image format may be easily exploited: Just put more data into the image than the product of number of pixels and bytes per pixel. Then the program as written will not reserve enough memory for that data (because the values at the beginning don't tell the truth), and therefore the data will overwrite anything following the data.

      Ok, the fix is easy: Don't read more data than you allocated memory for. The problem is that on one hand, there are C standard functions which make it easy to get that wrong, and second, there can be more subtle ways to produce the same result. For example, the multiplication could overflow, resulting in too little memory being allocated, while the given number of pixels is read in (under the believe that you have reserved enough memory for that).

      And yes, buffer overflows happen in open source software as well as in Microsoft software.

      --
      The Tao of math: The numbers you can count are not the real numbers.
    3. Re:Patch is already out by BoldAC · · Score: 5, Informative

      Come on guys! This is slashdot!

      Where is the downloadable link to the second proof of concept code?

      Here's the link to the first POC:
      http://www.gulftech.org/?node=downloads

      The first POC just generates the buffer overflow crash. Interesting enough, on an unpatched system, just having the jpg on your desktop caused by explorer to crash - repeatedly. I am assuming as XP tried to generate the thumbnail. However, if viewed through a web page, I could view it fine.

      I've been looking for the second POC code since yesterday. It supposedly opens a cmd prompt when the crafted jpg is viewed.

      AC

    4. Re:Patch is already out by Trigun · · Score: 5, Informative

      http://www.k-otik.com/
      You can find it all there, including a C program that fires off a local cmd shell.

      Only for use as a security lesson and ethical hacking.

  2. Spammers by sleepnmojo · · Score: 5, Interesting

    The biggest problem here is when spammers use this in there opt out link. This would probably be much more effective than the scrollbar hack they are using now. It just has to render the damn page, and wham you're infected.

  3. pr0n by Lord+Prox · · Score: 5, Funny

    Damn. Now in addition to worring about going blind I also have to worry about catching something.

  4. safe sex by gusmao · · Score: 5, Funny

    Does that mean when you watch porn on the Web it is not safe sex anymore? Damn it!!!

  5. Patch is already out by Jeffv323 · · Score: 5, Informative

    Pick your OS and download it here

    Also, if you have SP2 or uh, don't use MS software, you're fine :)

    --
    I'm a minister!
  6. patch has been available for a while now by jeffs72 · · Score: 5, Informative

    And it actually works fairly well. It scans for any program that reads these files and makes sure they don't have the bug in them. If it can't patch them, it bugs you about it so you can find a fix for the app. Only Microsoft apps of course, I don't think Adobe wants Microsoft pushing out software updates for them.

    Most of the users I have to support aren't savvy enough to add a printer (omg, with active directory it's like 3 mouse clicks) or install software or apply updates (we use some banking software and it notifies you with a text box to click "OK" and then "File, Update" but I still get called on it every time). That's why at our offices we use Microsoft System Update Server (SUS). It lets us approve patches and then roll them out to all the clients in the domain automagically.

    I shudder to think what would happen if I tried to roll out firefox or mozilla to everyone. I'd probably get calls that their "e" was missing and they couldn't connect to the internet. I swear, some people just shouldn't be on computers.

    --
    This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
  7. Re:I cannot help but grin ... by Pieroxy · · Score: 5, Insightful

    but I have a strong suspicion
    Everyone is entitled to its own suspicion.

    The level of polish and craftsmanship of open source software
    As opposed to the level of polish and craftmanship of Microsoft's products, of which you know nothing. So you are comparing apples to ... well something you just don't know. Good luck for being objective.

    --
    Write boring code, not shiny code!
  8. Re:Almost... by lphuberdeau · · Score: 5, Insightful

    Browsers are not the only problem. Many companies use outlook as a mail client. Someone could simply include a jpeg image to the mail and since images are loaded by default, they would infect everyone. Seriously, the only way around this is to update software. Microsoft already has a patch for this I think.

    --
    Qui ne va pas à la chasse n'a pas de gibier
    PHP Queb
  9. hmm someone predicted this by minus_273 · · Score: 5, Insightful

    about a year or so back there was a slashdot story about i think macafee researchers talking about viruses being transmitted over images. Everyone called it stupid market speak from a firm trying to sell more AV products by scaring people with somthing that is not possible. I think we all need to offer them an apology. I think this is a bizzare parallel to when people used to joke about email viruses way back in the min 90s. Kind of sad that it is real now. It will be even more so when images are used for exploits too. Though, i suspect those at most risk are those that go to websites looking for lots of images...

    --
    The war with islam is a war on the beast
    The war on terror is a war for peace
  10. Hard to patch by Manip · · Score: 5, Interesting

    This bug exists in most Microsoft Software. So for someone to patch they can't simply connect to Windows Update and consider themselves safe, they also have to patch Office, Visual Studio, some Microsoft Games, Server Software (misc, not covered by Update) and more.

    So don't sit there on an SP2 system and consider yourself safe. There is more than likely a whole host of ActiveX controls just waiting to be called and exploited by this bug.

    Also note that some applications written in Visual Basic can also be exploited.

  11. Re:Almost... by enigmals1 · · Score: 5, Insightful

    Switch to Firefox?! Why, what's that gonna do for you? The exploit is in almost every major app Microsoft makes that handles any graphics, including Windows itself, .Net Framework, all Office products, etc.

    People are so quick to blame IE when there's so many other products they can go after. ;)

  12. Re:PNG too? by Deviate_X · · Score: 5, Informative

    Some related exploits.

    Windows JPEG: Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028)

    Qt BMP: Qt 3.x bmp image parsing local buffer overflow Exploit

    XV BMP XV v3.x bmp parsing local buffer overflow Exploit

    GV Postscript: GV PostScript Viewer Remote Buffer overflow Exploit

    LibPNG: LibPNG Graphics Library Remote Buffer Overflow Exploit


  13. Re:Almost... by SenseiLeNoir · · Score: 5, Interesting

    This is exactly the problem I fear. All it takes is one spammer/cracker to bulk mail a hundred of pictures to random HTML accounts (Hotmail, etc).. and you can see exactly where this is going to lead.

    Also those who use Firefox may not be 100% protected, because consider this scenario.

    1. Install Firefox
    2. Set Firefox as default browser
    3. Use MSN Messenger.
    4. MSN messenger pops up "you have new hotmail"
    5. Click link to see new mail, MSN Messenger opens up in INTERNET EXPLORER despite setting firefox as the default browser.
    6. You are owned.

    I am more concerned that after this, people may even mistakenly critisize Firefox, thinking that Firefox was there default browser, and that they got infected via firefox, instead of IE.

    "I set up this firefox thingie, and set it as a default browser, yet I still have a virus, by just reading my email. Firefox is just as bad as IE"

    A second attack vector could be to change the mimetype of the JPEG, causing Firefox to download, then open it in the system handler for JPEGS.. and a possibility of being owned that way.

    Still this may also be very good grounds for a class action against MS, as they are not honouring a users request NOT to use IE.

    This all goes to prove, MS is a security hole, that can even make secure applications appear insecure

    Ow, my head hurts from thinking of this.. let me get some Paracetamol.

    --
    Have a nice day!
  14. THIS HAS NOT BEEN FIXED, url inside by Anonymous Coward · · Score: 5, Interesting

    http://sylvana.net/test/AP4.jpg

    will crash IE on an updated xp sp2 system.

  15. AutoUpdate not good enuff by DanMc · · Score: 5, Informative
    Autoupdate and Windowsupdate only install a fraction of the patches released for this bug. (Windows OS and IE basically)

    WindowsUpdate does install a "GDI+ Detection Tool", but I have run this tool on systems with unpatched Visual Studio, Outlook, and Office and it does not detect that the patches are missing. I looked at the strings in this tool, and it basically looks like it checks for MS Photo software.

    Manually visiting "officeupdate.microsoft.com" and running those updates will probably cover the most common attack vectors (Outlook, Word), but how many people do this on a regular basis? My users are not admin-level (yet) so they can't use this update site.

    Incidentally, every default configuration of IE/Word I have seen allows DOC files with jpegs to be opened in the browser window with no prompting. It will not be hard to get people to run the exploits, and there's plenty of ways for worms to automate themselves without users opening things.

    I'm working on a script to detect and run the patches (there's about 17 of them for this bug) but it's going to be a while because of the pre-reqs for many of the patches, and the very specific revisions that must match the patch. "If Visio 2002 is installed, detect which Visio SP level is running. If it's SP0 or SP1, run Visio SP2, then reboot, and run GDI patch"...

    Sorry if I'm spreading panic, but this bug sucks.

  16. He knew it... by insac · · Score: 5, Interesting
    When I was in University there was an old professor who gave us to write relation about JPEG format with code examples...

    When we were leaving his room he gave us this advice: "Beware the JPEG virus". It was 9 years ago and he was quite old and sometimes he acted/talked nonsense so we made fun of his advice (we thought: since it was not an executable file, how could it bring a virus): but he was right and we were wrong..

    --
    This message doesn't need a sig