Image Handling Flaw Puts Windows At Risk

An anonymous reader writes "Microsoft has released word that several image handling flaws may open Windows PCs to Spyware or viruses. From the article: 'We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications.'"

Huh?

Windows wasn't open to spyware and viruses before?

DUPE

[42Penguins]

This vulnerability is a dupe!
Windows has already had an image handling flaw!
Oh, it's Windows. False alarm.

Critical Bug?

[geomon]

Okay, so it is critical. The advisory contains the patch to correct the problem. This only becomes an issue if Windows users don't patch their machines.

What is the likelihood that users won't patch their machines? (cough!)

From TFA:

Mehta doesn't expect the latest Windows flaws to be exploited in a widespread attack. "We're not bracing for any major worm or malware outbreak, but we do expect them to be used in targeted attacks," Mehta said. "There is user interaction required, there has to be someone sitting at the other end in order to be compromised."

Yeah, like viewing an image from usenet. No one ever does that.

Re:Critical Bug?

[conJunk]

What is the likelihood that users won't patch their machines?

Well, it went up on the slashdot mainpage, so that likelihood for a great number of users is a lot lower than it would have been.

The 35 users I'm responsible for just got an email instructing them on how to to do the patch, with links to the patch execs that now live on our local file server.

This model -- (1) Microsoft announces it; (2) I hear about it on /. or security focus (usually both); (3) my users hear about it from me -- works well.

Sure, that's a drop in the bucket for windows PCs, but the point is that the communication chanels are open, and as long as people have the oportunity to hear about these things, we can reasonably expect them to be responsible for implementing them

Of course, that's not an excuse for making vulnerable software in the first place...

Re:Critical Bug?

[shmlco]

Of course, we also have recent announcements of imaging bugs and vulnerabilities in Apple's QuickTime that can allow machines to be hijacked. As such, I gather *nix systems can and do have similar problems.

Re:Critical Bug?

[ozmanjusri]

So usenet is dead?

alt.binaries.necrophilia has been very quiet lately.

Practice safe image viewing folks!

[nizo]

Or your computer could get an STD (Screenally Transmitted Disease) from viewing pornographic images.

Re:Practice safe image viewing folks!

[oberondarksoul]

I get enough funny looks from my housemates already. I am not putting a condom over my monitor.

Ack!

[rubberbando]

So now not only will looking at the goatse picture make you vommit, it will take over your Windoze PC!

Will the horrors ever stop?!!

MSN Messenger felled by this months ago

[saskboy]

Both jpg and png was flawed in Windows, MSN Messenger, and even other image apps by a buffer overflow exploit where a specially crafted jpeg file with a virus "attachment" would crash the program and execute virus code. I have to agree that if they are still finding flaws, we'll be stuck with them for a while. Just imagine, every Windows 98 computer out there probably has this problem too, and there's no way it's going to be really fixed. It will never be safe to run even "safe" things like jpg and mp3 on old computers now. It's very, very disapointing news.

In a Messenger program that is always accepting new input in the form of pictures and messages, it's especially dangerous because anyone who's online will instantly become a zombie spewing out infection to their friends on their contact list. You really will get viruses through your personal contacts more than spamming-strangers in the future.

Re:MSN Messenger felled by this months ago

[webzone]

the current flaw affects WMF (Windows Metafile) and EMF (Enhanced Metafile) file formats only. This is not the same thing as any jpeg or png-related vulnerability

When writing a parser, length checking is a must

[Harry+Balls]

When writing a parser (for a graphical or non-graphical data file) it is advisable to sanity check the input data at every step.

Consider ASN.1 data (used, for instance, for digital certificates, certificate revocation lists, certificate requests and so on).
Each and every ASN.1 data element and each and every sub-element contains a length field. The ASN.1 parser should check whether the length field of a sub-element goes beyond the length of the enclosing data element, and so on ad infinitum.
If the parser detects a violation, parsing stops.

An interesting question

[ThePyro]

Microsoft's .NET platform, which is supposed to be managed code, has built-in support for rendering WMF and EMF images (the image formats that are affected by this security vulnerability). So are applications written in .NET still vulnerable to the buffer overflow exploit, or was the underlying rendering code rewritten for the managed environment?

Writing managed applications won't protect you (completely) if the underlying framework isn't also managed.

Re:An interesting question

[SilverspurG]

How about we just raise the bar on coding practices and actually secure programming? Maybe we could teach strict logic flow structures.

The biggest excuse I hear from programmers for why they've violated strict logic flow is always,"Well, I was coding for speed and efficiency". With 3.0+GHz machines, what does it matter anymore? It's all a lot of hooey, too. The person learned that excuse from someone in 8th grade and they've latched onto it. When pressed they rarely even know what logical structure they've violated. They only know the excuse.

I think the biggest problem facing us is the inundation of object oriented programming languages. There's very little need to learn the strict mathematics of programming anymore. It is this laziness, and not any particular language, which is the root cause of the problem. Programming environments with sandboxes (ie. Java) are band-aids to a bigger problem.

The problem is with lazy programmers.

Re:An interesting question

[cbiltcliffe]

I was going to point out that "unnessacerally" was spelled incorrectly. I was then going to suggest that you could use Google as a spell checker, by typing your spelling into it, and seeing what it suggested with its "Do you mean...." thing.

Then I went and typed that spelling into Google, and found out that enough people have spelled it incorrectly on the web that Google doesn't know how to correct it, and suggests another incorrect spelling.

Correct spelling is "unnecessary".

Now, mod me down as a pedantic twit.

Re:Another brownie point for the cause of DRM?

[plover]

I'm not sure how you extrapolated that. What makes you think the DRM code is going to be somehow "more resistant" to buffer exploits? It just shifts the focus from the "media viewer" portion to the "DRM decoder" portion of the software. But there are still buffers involved.

Besides, if you're passing "unprotected" content around you'll still have these issues. Not every JPG is going to suddenly be digitally signed and encrypted. Assuming the same "media viewer" application, you'll have the same bugs.

If anything, the DRM code just adds another layer of interpretation that's open to attack, making your system "less safe" rather than "more safe." More code == more potential for bugs.

typical case of code-based formats

[radarsat1]

The WMF and EMF formats are just basically little programs full of GDI instructions. When you create one, you execute a bunch of GDI calls, with the WMF file as your Device Context. So essentially it's a shortcut-- an "easy" way to create a file format, based on the structure of the operating system's drawing code. I don't know about how the potential exploit works, but at first glance it seems like this is a typical case of designing a file format for "code convenience". Loading the file basically consists of loading a series of instructions and executing them. Now THAT sounds like a good idea! Easy to code for, but also easy to take advantage of. In other words, it's a lazy approach to coding. Lesson to be learned: File formats can be complicated! They must be designed to be a good *format*, not just to make coding easier. The more Microsoft designs its own file formats for each new technology it comes up with, the more we'll see this kind of thing. Better to find out what file formats are already out there, finding one that suits your needs, and supporting THAT, instead of coming up with one on your own. This is a case of re-inventing the wheel, badly.

Re:typical case of code-based formats

[cnettel]

Oh, a file format based on instructions, just like, uh, PostScript?

If you want detailed control over layout, especially with low overhead for rendering, an instruction based approach is quite good. The point is that no GDI call, in itself, should be able to mess things up and simple parameter validation of the WMF input should be enough when spooling the calls.

(Hey, Postscript is even Turing complete. There's nothing wrong with describing a picture as instructions to a state machine with some rendering primitives.)

Besides, WMF is 15+ years old now. The availability of formats for vector graphics that matched the features of GDI (while not being expensive, money-wise or performance-wise, to render by GDI) back then was a bit different. The format has never been used much for real files, but quite a lot for clipboard transfer of vector data (Excel graphs and whatnot).

Sorta like this quicktime one

[MushMouth]

While I hold no place in my heart for microsoft. Quicktime appears to be having a very similar problem. But also remember that the libjpeg and libz also had similar problems exploitable on Linux patched in the last year. Expecting an OS, ANY OS to save you is a bigger security threat than some exploitable jpeg code.

I like this line of Grade-A bullshit....

[HotNeedleOfInquiry]

"We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications."

If a programmer is taking the time and effort to interpret a complex file format, why can't he also take the time to validate it.

Re:I like this line of Grade-A bullshit....

[cnettel]

Of course you are right, but you are also ignorant if you don't realize that writing something that seems to interpret every valid file correctly is far easier than writing something that will accept every valid file and reject any invalid file, gracefully. Not to be said that it can't be done or that it shouldn't have been done. Just that it's far more difficult. Even when it's short and seems rather solid. zlib, anyone?

Guy is from Internet Security Systems

[badriram]

Internet Security Systems != Microsoft.

This has nothing really to do with IE. IE here just happens to be a vector. If FF on windows was depending on those libraries to display those image formats they would be vulnerable as well.

Re:Time to switch to Macintosh

[evw]

You're confusing exploits with vulnerabilities. There have been plenty of vulnerabilities or haven't you been following all the security updates?

List of security updates for Mac OS X

Take for example Security Update 2005-008

This update includes the following components:

ImageIO
LibSystem
Mail
QuickDraw
Ruby
SecurityAgent
securityd

Hmm. A security update that touches the ImageIO library?

p.s. before you flame/mod me into oblivion, I'm a happy Mac OS X user. Yes, Windows has way more bugs and a much worse security record. Is OS X invulnerable? No.

Ironic. 9x not affected.

[Tackhead]

> Just imagine, every Windows 98 computer out there probably has this problem too,

Ironic.

Non-Affected Software:
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

- MS05-053 security bulletin

The usual MS obfuscation for "because we don't support 9x anymore, by definition there are no critical updates for 9x" is to state that 9x is "Not Critically Affected", with a URL to a page that defines "critically affected" in such a way as to exclude 9x.

"Not Affected", as claimed in MS05-053, is a stronger claim. That's not to say there aren't similar bugs in image-handling in 9x; only that the hole in this notice probably doesn't affect 9x.

The real threat

[griffinn]

"Microsoft has released Word"

That is the real threat, my friend.

This is probably going to get modded as funny, but

[Patchw0rk+F0g]

...I've been trying to get porn flash ads off MSNBC and Yahoo for weeks now, at home, when at work the sites are just fine. Spyware, right? Well, Spybot, Norton, and AdAware say... a resounding "No". Nothing there. Yet the front page of MSNBC and my Yahoo mail still have ads for some guitar software, daBoink.com, and some fucked-up screensaver rotating with nauseating frequency.

Oh, and before you ask... twice a week virus scans, two noted spyware blockers, and a reliable firewall. How reliable? Shit, /. port-scans me every time I freakin' post!

Okay, now go on and say it... all together now... "Serves... YOU... ......."

I've got the solution!

[SeaFox]

Only use plain text email and turn off all image loading in Internet Explorer!

Not only will this stop the spread of viruses, it will drive hundreds of thousands of noobs off the internet. Usenet will be stored to it's former glory and AOL will go out of business. Marketshare of Linux and MacOSX will skyrocket and peace and balance will be restored to the Force!

Re:Time to switch to Macintosh

[PsychicX]

Normally I'd point out that if MS actually used third party libs for things like PNG and JPEG, they wouldn't have these problems (no more than anyone else, anyway). But since this applies to metafile bitmaps, which basically nobody uses, there's nothing to be done.

Adblock filters

[TopSpin]

Add *.wmf and *.emf to your adblock filters (I presume if you browse with Windows you're using Firefox and Adblock, otherwise...) These formats hardly ever appear on the web. If you see one, it's probably an exploit.

Re:What the hell is it about buffer overflows?

[HermanAB]

The main cause is the C string operators, which traditionally use Null terminated strings. So the potential length of a string is unlimited. In Linux, functions like gets() are (have been) phased out in favour of getsn(), which has an explicit length:
int getsn(char *cp, int size);

This has been a huge effort executed using automated search methods and hand coding, to vet enormous amounts of Free code. Consequently the quality of GNU systems have improved dramatically, while the same cannot be said for MS code.

The problem is that if you overflow a buffer defined on the processor stack, then you can force a new return address into the Program Counter when a routine exits, thus giving the attacker control over the next piece of code to execute. This pice of code is typically part of the string that was used to overflow the buffer.

Re:Time to switch to Macintosh

[R3d+M3rcury]

Hear hear! Actually, my favorite was the one in ColorSync. Very scary stuff, because some programs ignore ColorSync profiles, so you might still be able to view your images. But Safari and IE do not ignore them...

As an aside, this is where the the comment about "Macs have no viruses because they have low marketshare" holds some sway with me. I agree with everyone who says Macs are more secure than Windows, don't get me wrong. Once your code is running, it's much tougher to do anything to spread a virus in the same way that viruses spread in Windows. But part of it is that nobody really does the immense amount of reverse engineering necessary to write a virus or worm based upon an a published vulnerability. While, with Windows, an entire cottage industry has been built to figure that stuff out because there's money in it.

These things, as with many things in life, do not stem from one reason. Windows has viruses because of poor security. Windows has lots of viruses because of marketshare. Macs have fewer viruses because of better security. Macs have no viruses because of marketshare.

Re:what is wrong with that code

[UncleFluffy]

The code was different when I posted it. As usual, Slashdot eats my punctuation

Yeah, yeah, "the dog ate my homework". Heard it before ... ;-)