Slashdot Mirror

← Back to Stories (view on slashdot.org)

Image Causes Exploitable Overflow in Microsoft Products

Posted by Zonk on from the that's-a-spicy-picture dept.

Em Adespoton writes "Core Security researchers discovered that by electing a specially-crafted graphic as the user's display picture in MSN Messenger, an attacker could trigger a buffer overflow vulnerability on the chat partner's computer. Through this, it is possible to covertly take over machines running instant messaging software. Windows Messenger and Windows Media Player are also affected by this vulnerability. The story is also available at Newsfactor.com and SearchSecurity.com."

66 of 291 comments (clear)

  1. MS loss... by LazyPhoenix · · Score: 5, Funny

    Microsofts loss is my GAIM.

    ha.

  2. Where are the Cherubs? by Speare · · Score: 5, Interesting

    I think I heard of this method of attack in a security book I read once. Where the image of an avatar's identification turned out to be a computer-infecting virus. Oh, wait, it was a novel. "Snow Crash" by Neal Stephenson.

    --
    [ .sig file not found ]
    1. Re:Where are the Cherubs? by br0ck · · Score: 2, Informative

      ??SPOILER?? Cheers for trying to make this exploit fit the story, but unless I'm forgetting something, it wasn't the avatar doing the infecting. It was an assassin killing key hackers within the metaverse. The attacker showed a screen to intended victims which displayed 'snow'--like a TV tuned with no signal--which contained a message that crashed the victims brain turning them into a useless vegetable. More Info

    2. Re: Where are the Cherubs? by Black+Parrot · · Score: 2, Funny


      > Never read Snow Crash, but the proper pluralization of cherub is cherubim. (::seraph:seraphim::nephil:nephilim, etc.)

      ::virus:viriim:: ?

      --
      Sheesh, evil *and* a jerk. -- Jade
    3. Re:Where are the Cherubs? by ultranova · · Score: 2, Interesting

      The images wouldn't only affect your computer, but your brain as well. I hope virus writers never figure that one out!

      Don't worry; after a lifetime of constant exposure to ads, it would take one hell of a picture virus to even make you sneeze :).

      Seriously: the purpose of ads is to reprogram our behaviour, either permanently or temporarily. They do this by exploiting various psychological weaknesses of human minds - such as the need to associate with (imitate) what is perceived as succesfull people, the need to take care of children (add a little kid to the ad and the viewer becomes far more vulnerable), the fear of growing old and unwillingness to give up youth, etc. These can certainly be classified as "unchecked input" -bugs: they (try to) bypass rational thinking to make the viewer associate something positive with the product being advertised.

      Fortunately, the human brain has shown itself to be self-calibrating; after being deceived once or twice (or twenty times), it develops the firewall of cynicism. However, if we ever develop artificial intelligence, I truly feel sorry for any robots produced by Microsoft ;).

      So in short, don't worry about the picture-based brain viruses; they exist right now, are called ads, and human beings are capable of developing resistance against them.

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    4. Re:Where are the Cherubs? by k96822 · · Score: 2, Funny
      However, if we ever develop artificial intelligence, I truly feel sorry for any robots produced by Microsoft ;).

      Oh, that's just peachy. An army of Microsoft Robots (TM), all with their security holes, easily programmed to destroy humanity. Good thing they won't work long enough before a reboot to do too much damage!

    5. Re:Where are the Cherubs? by Dr+Caleb · · Score: 2, Funny
      The images wouldn't only affect your computer, but your brain as well.

      So instead of Cherubs, they have Tub Girl.

      Did I really just write that? :P

      --
      "History doesn't repeat itself, but it does rhyme." Mark Twain
    6. Re:Where are the Cherubs? by The+Tyrant · · Score: 2, Insightful

      We also have audio viri... next time your in a university lecture or open plan office, try quietly humming Tetris tune B, after a while, stop, and its nearly gaurenteed someone else will pick it up and carry on without even being consiously aware of it.

      Yes, I've tried it, many times, yes it works, no you dont have to believe me, try yourself.

  3. Article left out significant information... by bigtallmofo · · Score: 4, Funny

    Animated pictures of shiny pocketwatches moving back and forth were found to be the most effective at taking control of other people's computers.

    --
    I'm a big tall mofo.
  4. Still think by Threni · · Score: 3, Insightful

    it's safer using an OS which has less security updates per year than Linux?

    1. Re:Still think by Anonymous Coward · · Score: 3, Funny

      Don't worry, I've sent everyone the patch via a .png file.

  5. Already fixed by dreamt · · Score: 4, Informative

    After RTFMing, this was part of this week's Microsoft patches.

    1. Re:Already fixed by stinky+wizzleteats · · Score: 4, Insightful

      After RTFMing, this problem has been known since August of last year

      I RTFMed, too. Seems like vulnerability was fixed in August of last year by Gentoo, Red Hat, andMandrake.

      Nothing compares MS security to that of the rest of the world better than seeing how they fix the same damn vulnerability. Let this be a lesson to you. Never astroturf with facts. A quality 'turf would have been to say: "Yes, but Linux has a history of at least three times as many security problems with PNG as Microsoft"

  6. MS Security Chief Says Windows is Safer Than Linux by hoggoth · · Score: 4, Funny

    Hello? Didn't you get the memo?

    MS Security Chief Says Windows is Safer Than Linux

    Now stop trying to spread FUD.

    --
    - For the complete works of Shakespeare: cat /dev/random (may take some time)
  7. What??? by Jeffery · · Score: 2, Funny

    I can't belive that.. but i love all my microsoft products.. they must be wrong, microsoft doesn't have security flaws!! and my MSN messanger is totally safe, and all my WMA and WMV files are so totally secure! /sarcasm

    --
    President Bush Supporter
    1. Re:What??? by hoggoth · · Score: 4, Funny

      Phwew. I was about to go BALLISTIC on your post... but then thank goodness I saw the '/sarcasm' at the end. I mean, I was stoked up to spew some hellfire on you for your outrageous statements. They seemed... almost... too extreme to believe. Now that I see you clearly labelled it as 'sarcasm' I took a step back, and I'm cooling off. Shaking my arms, letting the anger go.

      Good thing you clearly labelled it as sarcasm.

      'cause otherwise I wouldn't have known.

      Really good sarcasm, too.

      Got me, there.

      Phwew.

      --
      - For the complete works of Shakespeare: cat /dev/random (may take some time)
  8. Bill Gates by kai.chan · · Score: 3, Funny

    If only I had Bill Gate's MSN . . .

  9. Re:Worst internet worm ever? by PapaBoojum · · Score: 5, Funny

    By spreading to everyone in your buddy list, a worm based on this exploit could infect 90% of the world in a couple hours.

    I'm doing my part. I don't have any friends.

  10. In other news... by Dutchmaan · · Score: 2, Funny

    IT: MS Security Chief Says Windows is Safer Than Linux....

  11. Re:That's genius... by robslimo · · Score: 5, Informative

    Is this one at all related to the previous image library flaws (the vulnerability for which the GDI detection tool was released to identify any Windows apps that were affected)?

    Oh, wait, I think I found it! A patch was released for PNG processing flaws on Tuesday this week; among the affected software: Microsoft MSN Messenger.

  12. Am I the only one by mr.newt · · Score: 2, Funny

    who finds it funny that the Google ads for the article show an advert for MSN Messenger?

  13. Question by Spy+der+Mann · · Score: 3, Interesting

    Is this why today my MSN asked me to upgrade to a new version? Or is the new version still vulnerable to this? I'm using version 6.2.0205

  14. This is the picture... by Anonymous Coward · · Score: 3, Funny

    http://blog.monkeymethods.org/images/billgates01.j pg Enough to make any buffer quit really...

    1. Re:This is the picture... by quanticle · · Score: 2, Funny

      This pic caused a buffer overflow in my mind...

      --
      We all know what to do, but we don't know how to get re-elected once we have done it
  15. Re:MS Security Chief Says Windows is Safer Than Li by Leknor · · Score: 2, Interesting

    Anyone ever done a study to determine the mean time between when MS claims their products are secure and when the next exploit is announced?

  16. Stupid question: by JayJay.br · · Score: 3, Interesting

    Looks like the problem is with PNG handling. Could it be then exploited through web pages? Or is it only the use those applications make of the format?

    1. Re:Stupid question: by pavon · · Score: 2, Informative

      Yes, the flaw is actually in the open source library libpng. It was discovered and fixed back in August. Any application that uses an old version of this library is affected. This included mozilla and firefox, which both released fixed versions within a day of the libpng patch. Internet Explorer is not affected by this exploit as it doesn not use libpng.

  17. Re:That's genius... by dsginter · · Score: 4, Funny

    A friend of mine used the goatse image for his MSN person icon and I had a buffer overflow of my own.

    When did I ever eat corn?

    --
    More
  18. Ah HA! by MrFreshly · · Score: 5, Funny

    The image that triggers it is an inverted picture of Bill Gates playing cards with Sadam, Satan, and Celine Dion.

    1. Re:Ah HA! by TheDauthi · · Score: 2, Insightful

      Satan would never lower himself to the level of playing cards with Celine Dion.

  19. Defeating the Borg? by bokmann · · Score: 4, Funny

    Isn't this the same technique Geordie LaForge came up with for introducing a virus into the Borg collective? Remember Hugh?

    Maybe the image of Bill Gates-as-Borg was a little more prophetic than we all realized.

    1. Re:Defeating the Borg? by Swamii · · Score: 4, Funny

      Yawn. I don't know about a virus, but you've just put me to sleep like Data did to the Borg in episode 128 where he issues a low-priority regeneration command to the Borg collective and then they revive Captain Picard who was actually named Locutus of Borg when he was merged into the Borg identity as he was captured on the Borg Cube after a mission of reconaissance in the ... zzzzzzzz

      --
      Tech, life, family, faith: Give me a visit
  20. *Proprietary* Network Graphic? by TomorrowPlusX · · Score: 4, Funny

    What? I thought all this time they were *Portable* Network Graphics. Well, the article says "Proprietary" so they must be right.

    --

    lorem ipsum, dolor sit amet
  21. They're wrong about PNG by BluhDeBluh · · Score: 5, Informative

    They've said that PNG stands for "Proprietary Network Graphics". In fact, this is very wrong - it's not proprietary at all. The idea of the format is that it _ISN'T_ proprietary - it's free as in speech, free as in beer, free as in patents.

    PNG really stands for Portable Network Graphics. And I hope that people don't get confused and start blaming the PNG file format for a bug that is MS's fault.

    1. Re:They're wrong about PNG by Trillan · · Score: 2, Insightful

      Microsoft wrote LibPNG?

  22. Before anyone goes off bashing MS... by k98sven · · Score: 5, Informative

    Perhaps one should take note that this overflow bug is not in MS code, but in the open-source LibPNG, which MS used.

    And it's also included in most Linux distros.

    If MS is to blame, it's for their lousy reaction speed. This vunerability has been known for months.

    1. Re:Before anyone goes off bashing MS... by Nintendork · · Score: 4, Interesting
      I just verified this and you're right. Here's some info on the vulnerability.

      I wonder though why Microsoft didn't update to a newer version of libPNG when the vulnerability was addressed last August.

      -Lucas

  23. Isn't it worth mentioning by apoplectic · · Score: 5, Insightful

    The Slashdot story blurb leaves out that this fix is already available. Certainly, if the fix hadn't already been made available you could count on that tidbit being mentioned....

  24. I think I understand Windows users now... by crazyphilman · · Score: 4, Funny

    I used to struggle with the "why do they keep using it, when there are so many (much better) alternatives" question. I see now how silly my confusion was. It's all so clear...

    Windows... Is a video game!

    Sure, think about it. Can you hack your friend Billy's computer before he hacks yours while you chat online? The suspense must be very exciting. Who has the better Script? Who has the better collection of vulnerabilities?

    It must be almost like playing Magic: The Gathering, or one of the other card games kids are into now. "My hack trumps yours! I get all your pr0n!"

    Suddenly I feel very boring. Sigh... It's okay, Slackware, I love you even IF you're secure. I'll just have to settle for being Rudolph, and not play in any Reindeer Games.

    Oh! Look! My Microwave just beeped! Pea Soup!

    Mmmm!

    --
    Farewell! It's been a fine buncha years!
  25. The exploit..... by FreshlyShornBalls · · Score: 5, Informative

    .....is already out.

    --
    This space intentionally left blank.
  26. Already patched? by a_nonamiss · · Score: 2, Insightful

    Am I reading this wrong, or are these exploits for vulnerabilities that are already patched? As much as I love to hate Microsoft, you can't really hold it against them once they've released a patch (even if it is only a number of days after the patch was released.)

    I just need more solid ammunition if I'm going to get in arguments with my Cult-Of-Microsoft coworker zealots.

    --
    -Arthur
    Cave ne ante ullas catapultas ambules
    1. Re:Already patched? by digidave · · Score: 3, Insightful

      the libpng patch was out in August and MS sat on their hands all that time before patching the version they shipped.

      And I bet some independent report will become available claiming that MS patches quicker than OSS because they only awknowledged the libpng bug a few days before releasing the patch.

      --
      The global economy is a great thing until you feel it locally.
  27. End user ease of use... by BrynM · · Score: 2, Interesting

    Use Microsoft's simple instructions to remove messenger. Glad they made it so point-and-click for those end users!</sarcasm>They obfuscated it because Messenger is such an important part of the lock-i... er operating system. Never mind that editing your registry may void your tech support, destroy your install, burn your clothes, hit your dog. I guess I'll be getting more calls from my family if disabling Messenger gets recommended in the press. Whenever they see that "Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk." they ask me to fix it. I guess I should put together a .reg and a.vbs file for them now.

    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  28. From TFA: Proprietary Network Graphics (PNG)!?! by denis-The-menace · · Score: 3, Informative

    God damned stupid people!
    It's Portable Network Graphics
    http://en.wikipedia.org/wiki/Png

    --
    Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
    1. Re:From TFA: Proprietary Network Graphics (PNG)!?! by iggymanz · · Score: 4, Funny

      no, it's Pornographic Network Graphics, your definition is just a smoke screen so the religious right doesn't get all fired up

  29. Re:but its more secure than linux! by Manip · · Score: 3, Insightful

    1. This has been patched.
    2. GAIM has had exploits patched.
    3. Linux has had exploits patched.
    4. I remember reading people defending Linux by saying that a lot of the distribution patches are not for the OS but instead for tools/apps... Yet you don't hold the same true for Microsoft?
    5. People need to be a little more objective, even on /.
    6. This is old news.

  30. Re:When will this stop being "news?" by Strudelkugel · · Score: 4, Informative

    The patch was released on Feb 8, the story comes out on Feb 11. Right, not much to see here.

    Maybe the RAF has a big PowerPoint that's of interest on web server somewhere...

    --
    Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
  31. 6 months to patch a known vulnerability by hweimer · · Score: 4, Informative

    The vulnerability is described in MS05-009 which refers to CAN-2004-0597. This is a buffer overflow in libpng which was fixed in early August last year. So Microsoft needed six months to fix a publicly known vulnerability.

    --
    OS Reviews: Free and Open Source Software
    1. Re:6 months to patch a known vulnerability by wolf31o2 · · Score: 2, Insightful

      That's because Microsoft software is more secure than Linux. They were just waiting for the right time to release the patch, that's all. Yeah...

  32. Re:MS Security Chief Says Windows is Safer Than Li by BrynM · · Score: 4, Funny
    Anyone ever done a study to determine the mean time between when MS claims their products are secure and when the next exploit is announced?
    Measuring negative time is moot.
    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  33. Bad Image Causes Exploitable Overflow by Anonymous Coward · · Score: 2, Funny

    Exploitable Overflows Cause Bad Image

    (A day like every day in Redmond)

  34. Re:but its more secure than linux! by TFGeditor · · Score: 4, Interesting

    But, have you ever tried to uninstall MS Messenger? http://www.theregister.co.uk/2002/04/02/windows_me ssenger_trojan_update/

    Those not blessed with geekiness cannot do it, so are stuck.

    --
    Ignorance is curable, stupid is forever.
  35. Boring! by ChiralSoftware · · Score: 2, Insightful
    When oh when are we going to learn, you cannot handle untrusted data (data from unknown hosts on the net) using software written with tools that allow dangerous memory access? These exploits have happened once a month for the past twenty years... let's see, in Sendmail, in BIND, in a bunch of browsers, in image processing libraries, in chat programs, in Outlook, on and on. Once a month for TWENTY YEARS! What these vulnerabilities all have in common is that they work on programs written in C. What C has is the ability to overflow buffers because buffers don't know their own size. What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier. The other component that is needed is a tool-level enforcement that prevents the programmer from directly altering the stack. Finally, all programs should run under the constraints of a capabilities system, so that even if the program is 100% malicious, it can only take actions which are pre-defined by a user. For example a chat program should not have the capability to write sectors on a disk, access network ports beyond its allocated port, execute other code, or write or delete files outside of its directory.

    Until things start getting fixed at the tool and OS level we're going to continue having these types of exploits once a month for the NEXT twenty years. If we don't switch from using C this is going to be the Slashdot headline in 2025: "Vulnerability on Microsoft HoloChat allows attackers to take over your nervous system."

    1. Re:Boring! by jonastullus · · Score: 2, Insightful

      What the solution is is to only use tools that have safe buffers, where buffer size constraints are enforced at the compiler or execution level. There's no performance penalty inherent in such tools and they make the programmer's job easier.

      well, depending on the implementation bounds checking can actually incur quite a noticeable performance penalty for huge arrays! the question is whether you'll accept your image loading .001 seconds longer for the certainty(?) of not getting buffer overflows.

      bounds checking alone will eliminate a huge number of exploits, but will certainly not do away with the issue of general exploitability! there can always be weaknesses in the language implementation (even in the bounds checking at that). but getting rid of buffer overflows would certainly be a huge improvement.

      apart from that, FULL ACK ;-)

  36. once upon a time... by ultramk · · Score: 5, Interesting

    a friend of mine used to work for MS on a version of IE... one bug they were trying to track down involved jpg (or was it gif) images of a certain--very large--dimension that could in some circumstances cause boot-block overwrite on the boot drive as it was being cached... (this was a few years back...)

    when this bug was being discussed in a meeting, the first thing that was said was something to the effect of "oh, and if you tell anybody--anybody--about this, you might as well look for a new job at the same time, and a good lawyer."

    of course, this was a few years ago, and from what i understand it was fixed right away, but still...

    m-

    --
    You catch enchiladas by picking them up behind the head and holding them underwater until they don't kick anymore -VeGas
    1. Re:once upon a time... by t_allardyce · · Score: 4, Insightful

      He should have said 'oh, and if you pay me anything -- anything less than $300,000 for this fix, you might as well look for a new job too, and a good PR team to cover up the leak i spill.'

      --
      This comment does not represent the views or opinions of the user.
  37. Remember that this "exploit" doesn't count by Corellon+Larethian · · Score: 2, Informative

    Against Windows, because Messenger isn't part of the "core" functionality of Windows.

    However...

    The mailman exploit counts against Redhat Enterprise, because it ships with the distribution.

    (just squint really hard, and you'll be able to clearly see what I'm talking about)

  38. HAHAHAH GRABOULOUS! by Thud457 · · Score: 2, Insightful

    So Microsoft's use of FOSS directly led to this problem? The mind boggles at the interpertations people will draw from that!!!

    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  39. Removing MSN Messenger doesn't actually remove it by EnronHaliburton2004 · · Score: 4, Interesting

    So anyone else notice that if you remove MSN Messenger and Outlook Express via the Control Panel's "Add/Remove Programs", the programs aren't actually removed from "C:\Program Files\Messenger" and "C:\Program Files\Outlook Express" ?

    WindowsUpdate still asks you to install patches for Messenger and OE, even though they are supposedly "uninstalled".

    IE still somtimes shows a Messenger icon on one of the toolbars.

    I still occasionally find the the MSN Messenger icon in the status tray, even though it is supposedly "uninstalled", and the users on my network aren't smart enough to run MSN Messenger from the commandline.

    What gives?

    --
    94% of Repubs and 21% of Dems voted to renew the Patriot Act
  40. Re:Removing MSN Messenger doesn't actually remove by MrP-(at+work) · · Score: 5, Informative
    Yeah that never uninstalls it

    You have to manually call the uninstall section of the msn messenger INF file.. ive done it so many times i type it from memory..

    go to start>run, and type
    rundll32 advpack.dll,LaunchINFSection %windir%\inf\msmsgs.inf,BLC.Remove
    make sure msn messenger is closed first so it wont error when it unregisters the dll files
    --
    [an error occurred while processing this directive]
  41. At least... by jd · · Score: 2, Insightful
    ...it's not the JPEG flaw again. If they'd fixed it in one place, but left it broken in another, it would be pretty bad. Well, mind you, this is still pretty bad. MS' PNG library has been stale for some time, which is why PNGs don't always show correctly on IE. Stale code won't develop new bugs, that is true, but it isn't being checked for old bugs either.


    This is not the only MS security flaw under review, at the moment. It was shown recently that MS Office documents are weakly encrypted using the password directly. It has been shown that there is a way of recovering the key in a relatively short timeframe if you have two versions of the same file. (This isn't actually too hard to achieve, as most people keep backups.)


    Instead of boasting how they've "only" released a few mega-patches over the last year, Microsoft really needs to sit down and do a thorough code audit. Hell, if that would be too expensive, just run the standard libraries through "splint" or the Stanford Code Validator. Even if Microsoft were to just fix those bugs one of those code auditing tools reported, I flat-out guarantee confidence in the security of their products will increase far beyond their wildest imagination.


    The problem is neither inevitable nor insoluble. And boasting about Windows over Linux eliminates neither the problem nor the growing awareness of it. Addressing the problem, with a firm determination, would.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  42. Re:MS Security Chief Says Windows is Safer Than Li by XMyth · · Score: 3, Funny

    I don't think you understand.

    1. Claim Linux is more secure than windows.
    2. Someone finds exploit in Linux
    3. Cry FUD
    4. Profit

  43. Re:Start the clock by jerw134 · · Score: 2

    One of those 12 security patches was for... wait for it... this problem! You can stop your clock now.

  44. Re:but its more secure than linux! by jproudfo · · Score: 2, Interesting

    ...which was patched on Tuesday. IMHO, that qualifies old news.

  45. Re:but its more secure than linux! by joeljkp · · Score: 2, Informative

    To add some sanity to this discussion, here's some facts:

    The MS bulletin and patch: http://www.microsoft.com/technet/security/Bulletin /MS05-009.mspx

    It's a vulnerability in libpng that was just patched by MS Tuesday, but was fixed by everyone else when it was discovered last June.

    --
    WeRelate.org - wiki-based genealogy
  46. Re:Talk about Timing! by joeljkp · · Score: 2, Informative

    You're not making any sense. The issue was with libpng, which is used by pretty much every image-capable platform in existance. Everyone else patched it when it was discovered last summer, though.

    The real question to ask is "Why did it take MS so long to remember it had used a vulnerable version in MSN Messenger?"

    --
    WeRelate.org - wiki-based genealogy