I'm confused. Does this mean that ordinary jpegs on websites can pose security risks.

If so, how does it happen? (or, what could happen?)

thanks,

Patrick

I'm confused. Does this mean that ordinary jpegs on websites can pose security risks.

Yes, but then all untrusted data pose security risks

If so, how does it happen? (or, what could happen?)

A specially corrupted JPEG tricks the program in to interpreting part of the JPEG as executable code. The OS treats that code as part of the exploited application, so it has the same priviledges. If you're logged in as Administrator, the exploit code now has admin rights to your PC.

For the techncally inclined, search for "smashing the stack for fun and profit", a classic article from Phrack on this type of exploit.

If you download the GDI+ security tool from Windows Update, it will notify you of this error as well.

[news.bbc.co.uk...]

"Some viruses masquerade as images of pop singers"

And, of course, this is not a "JPEG Vulnerability in Windows Software" as reported on the front page, just an error in the way some software parses the JPEG format, just like the recent vulnerability in Mozilla:

[secunia.com...]

Just read the BBC article?

Does this mean that website zith GD gallery (uploading of pic by users) are at risk. Anyone could post a JPEG with malicious code in the server, which will then spread to all users viewing the pic?

That bbc article is a glaring example of why non-technical people should not write technical articles. They seem to have interpreted most of the facts wrong. But I guess that's the case for most of the media.

P.S. Sorry for the rant.

Too bad they are patching this. It could have given us some really interesting ways to deal with image "hot-linking."

Why the h*ll would a graphics editor execute code?

Funandgames is right, why would a graphic editor even ATTEMPT to process the code?

SIDE NOTE: I believe, as with several of these buffer overflow vulnerabilities, that you are not affected if you are running Windows XP SP2 with an AMD 64 processor. It supports marking data as "Not Executable" in memory. So, executable content in a data segment (like JPG images) would fail to execute.

Does this affect Photoshop?

Why the h*ll would a graphics editor execute code?

From some other information I've read, it takes advantage of faults in the JPG file parsing mechanism. And from that, I can only guess that it somehow gets the program counter to point into the contents of the file - to the executable payload.

I haven't seen it being called a buffer overload, so it is probably doing something other than overlaying the executable code already in place.

Okay, I am a software engineer. I really do not see any way a program like Photoshop could be 'fooled' into running a virus in a JPG file. This whole thing sounds like bunk!

Before we get too far off topic, perhaps some of you need to review message #1. I don't see Photoshop on the list of affected applications.

I stand corrected. It is all microsoft apps. Hmm, I wonder what these apps do to execute data?

stand corrected. It is all microsoft apps. Hmm, I wonder what these apps do to execute data?

They all use GDI functions to do the JPG manipulation. The vulnerability is in the GDI. The list of apps that Microsoft gives out only includes their own. Their security bulletin states that you should check with vendors of any other software you have installed to see if they are vulnerable to this. The ones that utilize API calls into the GDI for JPG files (that is GDI JPG API calls!) will be vulnerable. Ones that do their own JPG manipulation won't be.

Thank you john_k for clearing this up.

This is a very scary flaw in Microsoft's JPEG parsing. What it means is that if you download a JPEG, and the program uses a particular dynamic link library to process that JPEG, then it is possible that your entire system will be compromised.

The way that it works is that a person with malicious intent creates a special JPEG (let's call him Bart). This JPEG uses bugs inside the Microsoft dynamic link library to overflow a buffer. By taking advantage of this bug, Bart, can have code that he places into the JPEG execute. Since that code is running as you, it has whatever privileges you have and can do whatever you could do to the machine.

Only programs that use the dynamic link library to process the JPEG are vulnerable. However, virtually all of Microsoft's programs use this dynamic link library, so they are all vulnerable. Until you upgrade the dynamic link library on your machine, you are at severe risk.

Just viewing the malicious JPEG in IE will be enough that your machine will be compromised. Or in Outlook, or a variety of other programs.

It is critical that you patch every machine on your network, using both Windows Update and Office Update, as well as updating any other programs that use the DLL.

See these web sites for more information and locations to download patches: [microsoft.com...] and [microsoft.com...]

Could this latest vulnerability be why we are suddenly getting a new rash of email viruses?

Here's a question I have that picks up on one of the questions posed by someone else. In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Knowing a file pattern to look for, I'm thinking that I can use PHP (which handles the file uploading) to scan the files for it making sure it is clean.

Thanks,
Dwayne (who once again, without starting a flame fest, is glad he has a Mac).

In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Sure is...the AV program that server is running.

I work with Symantec here and there. Even though there is no real world code in existance....YET, they are catching this as Bloodhound.Exploit.13 via the hueristics scan.

Take care,

Brian

In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Sure is...the AV program that server is running.

I work with Symantec here and there. Even though there is no real world code in existance....YET, they are catching this as Bloodhound.Exploit.13 via the hueristics scan.

Perhaps this is where I am confused. On an ISP's LAMP architecture (Linux, Apache, MySQL & PHP) I have found no reference to virus scanning, as well, it is a Web server, not an e-mail server. Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

I think I see your point if the server is running e-mail and other services, but for a user-uploaded file, I am missing the link here.

If I am just totally out to lunch, let me know. Thanks, Dwayne

Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

Guess I just assumed when users are allowed to upload from the wild that a scan would happen on that stream. My mistake. You guessed right I mainly do e-mail adminstration at the server level and AV. However the web farm, at our org., is not under my AV duties.

Take care,

Brian

Sample code out public:
[asia.cnet.com...]

Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

Guess I just assumed when users are allowed to upload from the wild that a scan would happen on that stream. My mistake. You guessed right I mainly do e-mail adminstration at the server level and AV. However the web farm, at our org., is not under my AV duties.

You're right about checking files uploaded from the wild, but, the checking now is done to ensure that it is a valid jpeg file (header check) and then, to be sure, there is some re-sizing done, so if it is not a jpeg, then well, the code returns a fail on the upload and it is never posted as a graphic.

In this new vulnerability, it is my impression that this virus is part of a valid jpeg, which is where my original query about the pattern matching comes in (which is what virus software does anyway right?). Just in this case, there is no AV software running on the web server, just the upload manager that ensures the files are valid jpegs.

Also, anyone know of a code chunk that can be scanned for to see if a jpeg contains this virus?

Thanks again for comments,
Dwayne

So resizing the pic, if not done, is THE solution?
Good news.

To the question about pattern matching and scanning on a web server:
if you are running the snort intrusion detection system, there have heen published some snort rules for bad JPEGs on yesterday's ISC alert page:
[isc.sans.org...]

Regards,
R.

You can right click on a jpg picture, like set as background, where is the securit risk there.