Image Handling Flaw Puts Windows At Risk

An anonymous reader writes "Microsoft has released word that several image handling flaws may open Windows PCs to Spyware or viruses. From the article: 'We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications.'"

Guy is from Internet Security Systems

[badriram]

Internet Security Systems != Microsoft.

This has nothing really to do with IE. IE here just happens to be a vector. If FF on windows was depending on those libraries to display those image formats they would be vulnerable as well.

Re:MSN Messenger felled by this months ago

[webzone]

the current flaw affects WMF (Windows Metafile) and EMF (Enhanced Metafile) file formats only. This is not the same thing as any jpeg or png-related vulnerability

Re:Critical Bug?

[shmlco]

Of course, we also have recent announcements of imaging bugs and vulnerabilities in Apple's QuickTime that can allow machines to be hijacked. As such, I gather *nix systems can and do have similar problems.

Re:Time to switch to Macintosh

[evw]

You're confusing exploits with vulnerabilities. There have been plenty of vulnerabilities or haven't you been following all the security updates?

List of security updates for Mac OS X

Take for example Security Update 2005-008

This update includes the following components:

ImageIO
LibSystem
Mail
QuickDraw
Ruby
SecurityAgent
securityd

Hmm. A security update that touches the ImageIO library?

p.s. before you flame/mod me into oblivion, I'm a happy Mac OS X user. Yes, Windows has way more bugs and a much worse security record. Is OS X invulnerable? No.

Ironic. 9x not affected.

[Tackhead]

> Just imagine, every Windows 98 computer out there probably has this problem too,

Ironic.

Non-Affected Software:
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

- MS05-053 security bulletin

The usual MS obfuscation for "because we don't support 9x anymore, by definition there are no critical updates for 9x" is to state that 9x is "Not Critically Affected", with a URL to a page that defines "critically affected" in such a way as to exclude 9x.

"Not Affected", as claimed in MS05-053, is a stronger claim. That's not to say there aren't similar bugs in image-handling in 9x; only that the hole in this notice probably doesn't affect 9x.

Re:Time to switch to Macintosh

[PsychicX]

Normally I'd point out that if MS actually used third party libs for things like PNG and JPEG, they wouldn't have these problems (no more than anyone else, anyway). But since this applies to metafile bitmaps, which basically nobody uses, there's nothing to be done.

Re:What the hell is it about buffer overflows?

[HermanAB]

The main cause is the C string operators, which traditionally use Null terminated strings. So the potential length of a string is unlimited. In Linux, functions like gets() are (have been) phased out in favour of getsn(), which has an explicit length:
int getsn(char *cp, int size);

This has been a huge effort executed using automated search methods and hand coding, to vet enormous amounts of Free code. Consequently the quality of GNU systems have improved dramatically, while the same cannot be said for MS code.

The problem is that if you overflow a buffer defined on the processor stack, then you can force a new return address into the Program Counter when a routine exits, thus giving the attacker control over the next piece of code to execute. This pice of code is typically part of the string that was used to overflow the buffer.