homepage Welcome to WebmasterWorld Guest from 54.243.13.30
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Home / Forums Index / Microsoft / (deprecated) Microsoft Windows OS (XP/NT/Vista)
Forum Library, Charter, Moderators: bill

(deprecated) Microsoft Windows OS (XP/NT/Vista) Forum

This 32 message thread spans 2 pages: 32 ( [1] 2 > >     
JPEG Vulnerability
Microsoft Security Bulletin
msgraph




msg:1571224
 2:45 pm on Sep 15, 2004 (gmt 0)

Patch it up

[microsoft.com...]

Affects:

Windows XP

Windows XP Service Pack 1 (SP1)

Windows Server 2003

Internet Explorer 6 SP1

Office XP SP3

Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
Office 2003

Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.

Digital Image Pro 7.0

Digital Image Pro 9

Digital Image Suite 9

Greetings 2002

Picture It! 2002 (all versions)

Picture It! 7.0 (all versions)

Picture It! 9 (all versions, including Picture It! Library)

Producer for PowerPoint (all versions)

Project 2002 SP1 (all versions)

Project 2003 (all versions)

Visio 2002 SP2 (all versions)

Visio 2003 (all versions)

Visual Studio .NET 2002

Note Visual Studio .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002.
Visual Studio .NET 2003

Note Visual Studio .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003.

.NET Framework 1.0 SP2

.NET Framework 1.0 SDK SP2

.NET Framework 1.1

Platform SDK Redistributable: GDI+

[news.bbc.co.uk...]

 

crashomon




msg:1571225
 3:56 pm on Sep 15, 2004 (gmt 0)

I'm confused. Does this mean that ordinary jpegs on websites can pose security risks.

If so, how does it happen? (or, what could happen?)

thanks,

Patrick

py9jmas




msg:1571226
 4:24 pm on Sep 15, 2004 (gmt 0)

I'm confused. Does this mean that ordinary jpegs on websites can pose security risks.

Yes, but then all untrusted data pose security risks

If so, how does it happen? (or, what could happen?)

A specially corrupted JPEG tricks the program in to interpreting part of the JPEG as executable code. The OS treats that code as part of the exploited application, so it has the same priviledges. If you're logged in as Administrator, the exploit code now has admin rights to your PC.

For the techncally inclined, search for "smashing the stack for fun and profit", a classic article from Phrack on this type of exploit.

mattglet




msg:1571227
 5:12 pm on Sep 15, 2004 (gmt 0)

If you download the GDI+ security tool from Windows Update, it will notify you of this error as well.

stef25




msg:1571228
 11:54 am on Sep 16, 2004 (gmt 0)

[news.bbc.co.uk...]

"Some viruses masquerade as images of pop singers"

bcolflesh




msg:1571229
 12:42 pm on Sep 16, 2004 (gmt 0)

And, of course, this is not a "JPEG Vulnerability in Windows Software" as reported on the front page, just an error in the way some software parses the JPEG format, just like the recent vulnerability in Mozilla:

[secunia.com...]

tomda




msg:1571230
 12:59 pm on Sep 16, 2004 (gmt 0)

Just read the BBC article?

Does this mean that website zith GD gallery (uploading of pic by users) are at risk. Anyone could post a JPEG with malicious code in the server, which will then spread to all users viewing the pic?

chadmg




msg:1571231
 2:02 pm on Sep 16, 2004 (gmt 0)

That bbc article is a glaring example of why non-technical people should not write technical articles. They seem to have interpreted most of the facts wrong. But I guess that's the case for most of the media.

P.S. Sorry for the rant.

john_k




msg:1571232
 2:48 pm on Sep 16, 2004 (gmt 0)

Too bad they are patching this. It could have given us some really interesting ways to deal with image "hot-linking."

funandgames




msg:1571233
 6:07 pm on Sep 16, 2004 (gmt 0)

Why the h*ll would a graphics editor execute code?

rise2it




msg:1571234
 6:23 pm on Sep 16, 2004 (gmt 0)

Funandgames is right, why would a graphic editor even ATTEMPT to process the code?

CritterNYC




msg:1571235
 8:16 pm on Sep 16, 2004 (gmt 0)

SIDE NOTE: I believe, as with several of these buffer overflow vulnerabilities, that you are not affected if you are running Windows XP SP2 with an AMD 64 processor. It supports marking data as "Not Executable" in memory. So, executable content in a data segment (like JPG images) would fail to execute.

monkeythumpa




msg:1571236
 8:39 pm on Sep 16, 2004 (gmt 0)

Does this affect Photoshop?

john_k




msg:1571237
 2:02 pm on Sep 17, 2004 (gmt 0)

Why the h*ll would a graphics editor execute code?

From some other information I've read, it takes advantage of faults in the JPG file parsing mechanism. And from that, I can only guess that it somehow gets the program counter to point into the contents of the file - to the executable payload.

I haven't seen it being called a buffer overload, so it is probably doing something other than overlaying the executable code already in place.

funandgames




msg:1571238
 4:50 pm on Sep 17, 2004 (gmt 0)

Okay, I am a software engineer. I really do not see any way a program like Photoshop could be 'fooled' into running a virus in a JPG file. This whole thing sounds like bunk!

DaveAtIFG




msg:1571239
 5:05 pm on Sep 17, 2004 (gmt 0)

Before we get too far off topic, perhaps some of you need to review message #1. I don't see Photoshop on the list of affected applications.

funandgames




msg:1571240
 5:13 pm on Sep 17, 2004 (gmt 0)

I stand corrected. It is all microsoft apps. Hmm, I wonder what these apps do to execute data?

john_k




msg:1571241
 6:12 pm on Sep 17, 2004 (gmt 0)

stand corrected. It is all microsoft apps. Hmm, I wonder what these apps do to execute data?

They all use GDI functions to do the JPG manipulation. The vulnerability is in the GDI. The list of apps that Microsoft gives out only includes their own. Their security bulletin states that you should check with vendors of any other software you have installed to see if they are vulnerable to this. The ones that utilize API calls into the GDI for JPG files (that is GDI JPG API calls!) will be vulnerable. Ones that do their own JPG manipulation won't be.

funandgames




msg:1571242
 6:38 am on Sep 18, 2004 (gmt 0)

Thank you john_k for clearing this up.

Xoc




msg:1571243
 10:44 pm on Sep 18, 2004 (gmt 0)

This is a very scary flaw in Microsoft's JPEG parsing. What it means is that if you download a JPEG, and the program uses a particular dynamic link library to process that JPEG, then it is possible that your entire system will be compromised.

The way that it works is that a person with malicious intent creates a special JPEG (let's call him Bart). This JPEG uses bugs inside the Microsoft dynamic link library to overflow a buffer. By taking advantage of this bug, Bart, can have code that he places into the JPEG execute. Since that code is running as you, it has whatever privileges you have and can do whatever you could do to the machine.

Only programs that use the dynamic link library to process the JPEG are vulnerable. However, virtually all of Microsoft's programs use this dynamic link library, so they are all vulnerable. Until you upgrade the dynamic link library on your machine, you are at severe risk.

Just viewing the malicious JPEG in IE will be enough that your machine will be compromised. Or in Outlook, or a variety of other programs.

It is critical that you patch every machine on your network, using both Windows Update and Office Update, as well as updating any other programs that use the DLL.

See these web sites for more information and locations to download patches: [microsoft.com...] and [microsoft.com...]

funandgames




msg:1571244
 4:23 pm on Sep 19, 2004 (gmt 0)

Could this latest vulnerability be why we are suddenly getting a new rash of email viruses?

dsandall




msg:1571245
 8:37 pm on Sep 20, 2004 (gmt 0)

Here's a question I have that picks up on one of the questions posed by someone else. In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Knowing a file pattern to look for, I'm thinking that I can use PHP (which handles the file uploading) to scan the files for it making sure it is clean.

Thanks,
Dwayne (who once again, without starting a flame fest, is glad he has a Mac).

Reflect




msg:1571246
 7:41 pm on Sep 21, 2004 (gmt 0)

In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Sure is...the AV program that server is running.

I work with Symantec here and there. Even though there is no real world code in existance....YET, they are catching this as Bloodhound.Exploit.13 via the hueristics scan.

Take care,

Brian

dsandall




msg:1571247
 8:24 pm on Sep 21, 2004 (gmt 0)

In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Sure is...the AV program that server is running.

I work with Symantec here and there. Even though there is no real world code in existance....YET, they are catching this as Bloodhound.Exploit.13 via the hueristics scan.

Perhaps this is where I am confused. On an ISP's LAMP architecture (Linux, Apache, MySQL & PHP) I have found no reference to virus scanning, as well, it is a Web server, not an e-mail server. Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

I think I see your point if the server is running e-mail and other services, but for a user-uploaded file, I am missing the link here.

If I am just totally out to lunch, let me know. Thanks, Dwayne

Reflect




msg:1571248
 11:31 pm on Sep 21, 2004 (gmt 0)

Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

Guess I just assumed when users are allowed to upload from the wild that a scan would happen on that stream. My mistake. You guessed right I mainly do e-mail adminstration at the server level and AV. However the web farm, at our org., is not under my AV duties.

Take care,

Brian

Chndru




msg:1571249
 7:16 pm on Sep 23, 2004 (gmt 0)

Sample code out public:
[asia.cnet.com...]

dsandall




msg:1571250
 8:26 pm on Sep 23, 2004 (gmt 0)

Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

Guess I just assumed when users are allowed to upload from the wild that a scan would happen on that stream. My mistake. You guessed right I mainly do e-mail adminstration at the server level and AV. However the web farm, at our org., is not under my AV duties.

You're right about checking files uploaded from the wild, but, the checking now is done to ensure that it is a valid jpeg file (header check) and then, to be sure, there is some re-sizing done, so if it is not a jpeg, then well, the code returns a fail on the upload and it is never posted as a graphic.

In this new vulnerability, it is my impression that this virus is part of a valid jpeg, which is where my original query about the pattern matching comes in (which is what virus software does anyway right?). Just in this case, there is no AV software running on the web server, just the upload manager that ensures the files are valid jpegs.

Also, anyone know of a code chunk that can be scanned for to see if a jpeg contains this virus?

Thanks again for comments,
Dwayne

tomda




msg:1571251
 5:46 am on Sep 24, 2004 (gmt 0)

So resizing the pic, if not done, is THE solution?
Good news.

Romeo




msg:1571252
 9:52 am on Sep 24, 2004 (gmt 0)

To the question about pattern matching and scanning on a web server:
if you are running the snort intrusion detection system, there have heen published some snort rules for bad JPEGs on yesterday's ISC alert page:
[isc.sans.org...]

Regards,
R.

zeus




msg:1571253
 10:23 am on Sep 26, 2004 (gmt 0)

You can right click on a jpg picture, like set as background, where is the securit risk there.

This 32 message thread spans 2 pages: 32 ( [1] 2 > >
Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / (deprecated) Microsoft Windows OS (XP/NT/Vista)
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved