Slashdot Mirror

← Back to Stories (view on slashdot.org)

Image Causes Exploitable Overflow in Microsoft Products

Posted by Zonk on from the that's-a-spicy-picture dept.

Em Adespoton writes "Core Security researchers discovered that by electing a specially-crafted graphic as the user's display picture in MSN Messenger, an attacker could trigger a buffer overflow vulnerability on the chat partner's computer. Through this, it is possible to covertly take over machines running instant messaging software. Windows Messenger and Windows Media Player are also affected by this vulnerability. The story is also available at Newsfactor.com and SearchSecurity.com."

19 of 291 comments (clear)

  1. WHAT THE FUCK?! by Anonymous Coward · · Score: 0, Insightful

    The vonage ad on the page is fucking playing sound, VERY LOUDLY, over my computer speakers! Whoever did that is a fucking asshole!

  2. Still think by Threni · · Score: 3, Insightful

    it's safer using an OS which has less security updates per year than Linux?

  3. Isn't it worth mentioning by apoplectic · · Score: 5, Insightful

    The Slashdot story blurb leaves out that this fix is already available. Certainly, if the fix hadn't already been made available you could count on that tidbit being mentioned....

  4. Already patched? by a_nonamiss · · Score: 2, Insightful

    Am I reading this wrong, or are these exploits for vulnerabilities that are already patched? As much as I love to hate Microsoft, you can't really hold it against them once they've released a patch (even if it is only a number of days after the patch was released.)

    I just need more solid ammunition if I'm going to get in arguments with my Cult-Of-Microsoft coworker zealots.

    --
    -Arthur
    Cave ne ante ullas catapultas ambules
    1. Re:Already patched? by digidave · · Score: 3, Insightful

      the libpng patch was out in August and MS sat on their hands all that time before patching the version they shipped.

      And I bet some independent report will become available claiming that MS patches quicker than OSS because they only awknowledged the libpng bug a few days before releasing the patch.

      --
      The global economy is a great thing until you feel it locally.
  5. Re:but its more secure than linux! by Manip · · Score: 3, Insightful

    1. This has been patched.
    2. GAIM has had exploits patched.
    3. Linux has had exploits patched.
    4. I remember reading people defending Linux by saying that a lot of the distribution patches are not for the OS but instead for tools/apps... Yet you don't hold the same true for Microsoft?
    5. People need to be a little more objective, even on /.
    6. This is old news.

  6. Re:In other news . . by Anonymous Coward · · Score: 0, Insightful
    Proving once again that the first step to jamming your head up your ass is to stick your foot in your mouth.

    Real PHBs can breath through their ears.

  7. Boring! by ChiralSoftware · · Score: 2, Insightful
    When oh when are we going to learn, you cannot handle untrusted data (data from unknown hosts on the net) using software written with tools that allow dangerous memory access? These exploits have happened once a month for the past twenty years... let's see, in Sendmail, in BIND, in a bunch of browsers, in image processing libraries, in chat programs, in Outlook, on and on. Once a month for TWENTY YEARS! What these vulnerabilities all have in common is that they work on programs written in C. What C has is the ability to overflow buffers because buffers don't know their own size. What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier. The other component that is needed is a tool-level enforcement that prevents the programmer from directly altering the stack. Finally, all programs should run under the constraints of a capabilities system, so that even if the program is 100% malicious, it can only take actions which are pre-defined by a user. For example a chat program should not have the capability to write sectors on a disk, access network ports beyond its allocated port, execute other code, or write or delete files outside of its directory.

    Until things start getting fixed at the tool and OS level we're going to continue having these types of exploits once a month for the NEXT twenty years. If we don't switch from using C this is going to be the Slashdot headline in 2025: "Vulnerability on Microsoft HoloChat allows attackers to take over your nervous system."

    1. Re:Boring! by jonastullus · · Score: 2, Insightful

      What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier.

      well, depending on the implementation bounds checking can actually incur quite a noticeable performance penalty for huge arrays! the question is whether you'll accept your image loading .001 seconds longer for the certainty(?) of not getting buffer overflows.

      bounds checking alone will eliminate a huge number of exploits, but will certainly not do away with the issue of general exploitability! there can always be weaknesses in the language implementation (even in the bounds checking at that). but getting rid of buffer overflows would certainly be a huge improvement.

      apart from that, FULL ACK ;-)

  8. Re:Ah HA! by TheDauthi · · Score: 2, Insightful

    Satan would never lower himself to the level of playing cards with Celine Dion.

  9. Re:They're wrong about PNG by Thud457 · · Score: 1, Insightful
    These bitch-ass "journalists" we have these days don't understand the fuckin' First Amenedment, how the hell do you expect them to grasp a more abstract concept like Open Standards?!!!


    B is just a superset of A here.

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  10. HAHAHAH GRABOULOUS! by Thud457 · · Score: 2, Insightful

    So Microsoft's use of FOSS directly led to this problem? The mind boggles at the interpertations people will draw from that!!!

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  11. Re:once upon a time... by t_allardyce · · Score: 4, Insightful

    He should have said 'oh, and if you pay me anything -- anything less than $300,000 for this fix, you might as well look for a new job too, and a good PR team to cover up the leak i spill.'

    --
    This comment does not represent the views or opinions of the user.
  12. At least... by jd · · Score: 2, Insightful
    ...it's not the JPEG flaw again. If they'd fixed it in one place, but left it broken in another, it would be pretty bad. Well, mind you, this is still pretty bad. MS' PNG library has been stale for some time, which is why PNGs don't always show correctly on IE. Stale code won't develop new bugs, that is true, but it isn't being checked for old bugs either.


    This is not the only MS security flaw under review, at the moment. It was shown recently that MS Office documents are weakly encrypted using the password directly. It has been shown that there is a way of recovering the key in a relatively short timeframe if you have two versions of the same file. (This isn't actually too hard to achieve, as most people keep backups.)


    Instead of boasting how they've "only" released a few mega-patches over the last year, Microsoft really needs to sit down and do a thorough code audit. Hell, if that would be too expensive, just run the standard libraries through "splint" or the Stanford Code Validator. Even if Microsoft were to just fix those bugs one of those code auditing tools reported, I flat-out guarantee confidence in the security of their products will increase far beyond their wildest imagination.


    The problem is neither inevitable nor insoluble. And boasting about Windows over Linux eliminates neither the problem nor the growing awareness of it. Addressing the problem, with a firm determination, would.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  13. Re:6 months to patch a known vulnerability by wolf31o2 · · Score: 2, Insightful

    That's because Microsoft software is more secure than Linux. They were just waiting for the right time to release the patch, that's all. Yeah...

  14. Re:Already fixed by stinky+wizzleteats · · Score: 4, Insightful

    After RTFMing, this problem has been known since August of last year

    I RTFMed, too. Seems like vulnerability was fixed in August of last year by Gentoo, Red Hat, andMandrake.

    Nothing compares MS security to that of the rest of the world better than seeing how they fix the same damn vulnerability. Let this be a lesson to you. Never astroturf with facts. A quality 'turf would have been to say: "Yes, but Linux has a history of at least three times as many security problems with PNG as Microsoft"

  15. Re:Before anyone goes off bashing MS... by Anonymous Coward · · Score: 1, Insightful

    Maybe because they were scared they might accidentally introduce 24-bit PNG with 8-bit transparency support into the system, and they wouldn't want to be seen to be making things better.

  16. Re:They're wrong about PNG by Trillan · · Score: 2, Insightful

    Microsoft wrote LibPNG?

  17. Re:Where are the Cherubs? by The+Tyrant · · Score: 2, Insightful

    We also have audio viri... next time your in a university lecture or open plan office, try quietly humming Tetris tune B, after a while, stop, and its nearly gaurenteed someone else will pick it up and carry on without even being consiously aware of it.

    Yes, I've tried it, many times, yes it works, no you dont have to believe me, try yourself.