Image Handling Flaw Puts Windows At Risk

An anonymous reader writes "Microsoft has released word that several image handling flaws may open Windows PCs to Spyware or viruses. From the article: 'We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications.'"

MSN Messenger felled by this months ago

[saskboy]

Both jpg and png was flawed in Windows, MSN Messenger, and even other image apps by a buffer overflow exploit where a specially crafted jpeg file with a virus "attachment" would crash the program and execute virus code. I have to agree that if they are still finding flaws, we'll be stuck with them for a while. Just imagine, every Windows 98 computer out there probably has this problem too, and there's no way it's going to be really fixed. It will never be safe to run even "safe" things like jpg and mp3 on old computers now. It's very, very disapointing news.

In a Messenger program that is always accepting new input in the form of pictures and messages, it's especially dangerous because anyone who's online will instantly become a zombie spewing out infection to their friends on their contact list. You really will get viruses through your personal contacts more than spamming-strangers in the future.

When writing a parser, length checking is a must

[Harry+Balls]

When writing a parser (for a graphical or non-graphical data file) it is advisable to sanity check the input data at every step.

Consider ASN.1 data (used, for instance, for digital certificates, certificate revocation lists, certificate requests and so on).
Each and every ASN.1 data element and each and every sub-element contains a length field. The ASN.1 parser should check whether the length field of a sub-element goes beyond the length of the enclosing data element, and so on ad infinitum.
If the parser detects a violation, parsing stops.

typical case of code-based formats

[radarsat1]

The WMF and EMF formats are just basically little programs full of GDI instructions. When you create one, you execute a bunch of GDI calls, with the WMF file as your Device Context. So essentially it's a shortcut-- an "easy" way to create a file format, based on the structure of the operating system's drawing code. I don't know about how the potential exploit works, but at first glance it seems like this is a typical case of designing a file format for "code convenience". Loading the file basically consists of loading a series of instructions and executing them. Now THAT sounds like a good idea! Easy to code for, but also easy to take advantage of. In other words, it's a lazy approach to coding. Lesson to be learned: File formats can be complicated! They must be designed to be a good *format*, not just to make coding easier. The more Microsoft designs its own file formats for each new technology it comes up with, the more we'll see this kind of thing. Better to find out what file formats are already out there, finding one that suits your needs, and supporting THAT, instead of coming up with one on your own. This is a case of re-inventing the wheel, badly.

This is probably going to get modded as funny, but

[Patchw0rk+F0g]

...I've been trying to get porn flash ads off MSNBC and Yahoo for weeks now, at home, when at work the sites are just fine. Spyware, right? Well, Spybot, Norton, and AdAware say... a resounding "No". Nothing there. Yet the front page of MSNBC and my Yahoo mail still have ads for some guitar software, daBoink.com, and some fucked-up screensaver rotating with nauseating frequency.

Oh, and before you ask... twice a week virus scans, two noted spyware blockers, and a reliable firewall. How reliable? Shit, /. port-scans me every time I freakin' post!

Okay, now go on and say it... all together now... "Serves... YOU... ......."

Adblock filters

[TopSpin]

Add *.wmf and *.emf to your adblock filters (I presume if you browse with Windows you're using Firefox and Adblock, otherwise...) These formats hardly ever appear on the web. If you see one, it's probably an exploit.

Re:Time to switch to Macintosh

[R3d+M3rcury]

Hear hear! Actually, my favorite was the one in ColorSync. Very scary stuff, because some programs ignore ColorSync profiles, so you might still be able to view your images. But Safari and IE do not ignore them...

As an aside, this is where the the comment about "Macs have no viruses because they have low marketshare" holds some sway with me. I agree with everyone who says Macs are more secure than Windows, don't get me wrong. Once your code is running, it's much tougher to do anything to spread a virus in the same way that viruses spread in Windows. But part of it is that nobody really does the immense amount of reverse engineering necessary to write a virus or worm based upon an a published vulnerability. While, with Windows, an entire cottage industry has been built to figure that stuff out because there's money in it.

These things, as with many things in life, do not stem from one reason. Windows has viruses because of poor security. Windows has lots of viruses because of marketshare. Macs have fewer viruses because of better security. Macs have no viruses because of marketshare.