Welcome to WebmasterWorld Guest from 54.167.102.69

Forum Moderators: bill

Message Too Old, No Replies

JPEG Vulnerability

Microsoft Security Bulletin

     
2:45 pm on Sep 15, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 29, 2000
posts:1425
votes: 0


Patch it up

[microsoft.com...]

Affects:

Windows XP

Windows XP Service Pack 1 (SP1)

Windows Server 2003

Internet Explorer 6 SP1

Office XP SP3

Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
Office 2003

Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.

Digital Image Pro 7.0

Digital Image Pro 9

Digital Image Suite 9

Greetings 2002

Picture It! 2002 (all versions)

Picture It! 7.0 (all versions)

Picture It! 9 (all versions, including Picture It! Library)

Producer for PowerPoint (all versions)

Project 2002 SP1 (all versions)

Project 2003 (all versions)

Visio 2002 SP2 (all versions)

Visio 2003 (all versions)

Visual Studio .NET 2002

Note Visual Studio .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002.
Visual Studio .NET 2003

Note Visual Studio .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003.

.NET Framework 1.0 SP2

.NET Framework 1.0 SDK SP2

.NET Framework 1.1

Platform SDK Redistributable: GDI+

[news.bbc.co.uk...]

3:56 pm on Sept 15, 2004 (gmt 0)

Junior Member from US 

10+ Year Member

joined:Dec 30, 2003
posts:125
votes: 0


I'm confused. Does this mean that ordinary jpegs on websites can pose security risks.

If so, how does it happen? (or, what could happen?)

thanks,

Patrick

4:24 pm on Sept 15, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Mar 8, 2004
posts:311
votes: 0


I'm confused. Does this mean that ordinary jpegs on websites can pose security risks.

Yes, but then all untrusted data pose security risks

If so, how does it happen? (or, what could happen?)

A specially corrupted JPEG tricks the program in to interpreting part of the JPEG as executable code. The OS treats that code as part of the exploited application, so it has the same priviledges. If you're logged in as Administrator, the exploit code now has admin rights to your PC.

For the techncally inclined, search for "smashing the stack for fun and profit", a classic article from Phrack on this type of exploit.

5:12 pm on Sept 15, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 12, 2002
posts:1482
votes: 0


If you download the GDI+ security tool from Windows Update, it will notify you of this error as well.
11:54 am on Sept 16, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:May 4, 2004
posts:394
votes: 0


[news.bbc.co.uk...]

"Some viruses masquerade as images of pop singers"

12:42 pm on Sept 16, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Feb 21, 2003
posts:2355
votes: 0


And, of course, this is not a "JPEG Vulnerability in Windows Software" as reported on the front page, just an error in the way some software parses the JPEG format, just like the recent vulnerability in Mozilla:

[secunia.com...]

12:59 pm on Sept 16, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 7, 2004
posts:929
votes: 0


Just read the BBC article?

Does this mean that website zith GD gallery (uploading of pic by users) are at risk. Anyone could post a JPEG with malicious code in the server, which will then spread to all users viewing the pic?

2:02 pm on Sept 16, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Sept 25, 2003
posts:308
votes: 0


That bbc article is a glaring example of why non-technical people should not write technical articles. They seem to have interpreted most of the facts wrong. But I guess that's the case for most of the media.

P.S. Sorry for the rant.

2:48 pm on Sept 16, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 3, 2003
posts:792
votes: 0


Too bad they are patching this. It could have given us some really interesting ways to deal with image "hot-linking."
6:07 pm on Sept 16, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 18, 2003
posts:191
votes: 0


Why the h*ll would a graphics editor execute code?
6:23 pm on Sept 16, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Aug 19, 2003
posts:701
votes: 0


Funandgames is right, why would a graphic editor even ATTEMPT to process the code?
8:16 pm on Sept 16, 2004 (gmt 0)

Full Member

10+ Year Member

joined:Feb 23, 2003
posts:207
votes: 0


SIDE NOTE: I believe, as with several of these buffer overflow vulnerabilities, that you are not affected if you are running Windows XP SP2 with an AMD 64 processor. It supports marking data as "Not Executable" in memory. So, executable content in a data segment (like JPG images) would fail to execute.
8:39 pm on Sept 16, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Aug 2, 2004
posts:551
votes: 0


Does this affect Photoshop?
2:02 pm on Sept 17, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 3, 2003
posts:792
votes: 0


Why the h*ll would a graphics editor execute code?

From some other information I've read, it takes advantage of faults in the JPG file parsing mechanism. And from that, I can only guess that it somehow gets the program counter to point into the contents of the file - to the executable payload.

I haven't seen it being called a buffer overload, so it is probably doing something other than overlaying the executable code already in place.

4:50 pm on Sept 17, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 18, 2003
posts:191
votes: 0


Okay, I am a software engineer. I really do not see any way a program like Photoshop could be 'fooled' into running a virus in a JPG file. This whole thing sounds like bunk!
5:05 pm on Sept 17, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Sept 21, 1999
posts:2141
votes: 0


Before we get too far off topic, perhaps some of you need to review message #1. I don't see Photoshop on the list of affected applications.
5:13 pm on Sept 17, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 18, 2003
posts:191
votes: 0


I stand corrected. It is all microsoft apps. Hmm, I wonder what these apps do to execute data?
6:12 pm on Sept 17, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Oct 3, 2003
posts:792
votes: 0


stand corrected. It is all microsoft apps. Hmm, I wonder what these apps do to execute data?

They all use GDI functions to do the JPG manipulation. The vulnerability is in the GDI. The list of apps that Microsoft gives out only includes their own. Their security bulletin states that you should check with vendors of any other software you have installed to see if they are vulnerable to this. The ones that utilize API calls into the GDI for JPG files (that is GDI JPG API calls!) will be vulnerable. Ones that do their own JPG manipulation won't be.
6:38 am on Sept 18, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 18, 2003
posts:191
votes: 0


Thank you john_k for clearing this up.

Xoc

10:44 pm on Sept 18, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 18, 2001
posts:1437
votes: 0


This is a very scary flaw in Microsoft's JPEG parsing. What it means is that if you download a JPEG, and the program uses a particular dynamic link library to process that JPEG, then it is possible that your entire system will be compromised.

The way that it works is that a person with malicious intent creates a special JPEG (let's call him Bart). This JPEG uses bugs inside the Microsoft dynamic link library to overflow a buffer. By taking advantage of this bug, Bart, can have code that he places into the JPEG execute. Since that code is running as you, it has whatever privileges you have and can do whatever you could do to the machine.

Only programs that use the dynamic link library to process the JPEG are vulnerable. However, virtually all of Microsoft's programs use this dynamic link library, so they are all vulnerable. Until you upgrade the dynamic link library on your machine, you are at severe risk.

Just viewing the malicious JPEG in IE will be enough that your machine will be compromised. Or in Outlook, or a variety of other programs.

It is critical that you patch every machine on your network, using both Windows Update and Office Update, as well as updating any other programs that use the DLL.

See these web sites for more information and locations to download patches: [microsoft.com...] and [microsoft.com...]

4:23 pm on Sept 19, 2004 (gmt 0)

Junior Member

10+ Year Member

joined:Nov 18, 2003
posts:191
votes: 0


Could this latest vulnerability be why we are suddenly getting a new rash of email viruses?
8:37 pm on Sept 20, 2004 (gmt 0)

New User

10+ Year Member

joined:Feb 6, 2004
posts:9
votes: 0


Here's a question I have that picks up on one of the questions posed by someone else. In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Knowing a file pattern to look for, I'm thinking that I can use PHP (which handles the file uploading) to scan the files for it making sure it is clean.

Thanks,
Dwayne (who once again, without starting a flame fest, is glad he has a Mac).

7:41 pm on Sept 21, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:June 21, 2000
posts:626
votes: 0


In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Sure is...the AV program that server is running.

I work with Symantec here and there. Even though there is no real world code in existance....YET, they are catching this as Bloodhound.Exploit.13 via the hueristics scan.

Take care,

Brian

8:24 pm on Sept 21, 2004 (gmt 0)

New User

10+ Year Member

joined:Feb 6, 2004
posts:9
votes: 0


In the case of a site where visitors are allowed to upload images, is there some way to ensure the jpegs being uploaded are carrying a nasty payload?

Sure is...the AV program that server is running.

I work with Symantec here and there. Even though there is no real world code in existance....YET, they are catching this as Bloodhound.Exploit.13 via the hueristics scan.

Perhaps this is where I am confused. On an ISP's LAMP architecture (Linux, Apache, MySQL & PHP) I have found no reference to virus scanning, as well, it is a Web server, not an e-mail server. Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

I think I see your point if the server is running e-mail and other services, but for a user-uploaded file, I am missing the link here.

If I am just totally out to lunch, let me know. Thanks, Dwayne

11:31 pm on Sept 21, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:June 21, 2000
posts:626
votes: 0


Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

Guess I just assumed when users are allowed to upload from the wild that a scan would happen on that stream. My mistake. You guessed right I mainly do e-mail adminstration at the server level and AV. However the web farm, at our org., is not under my AV duties.

Take care,

Brian

7:16 pm on Sept 23, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 16, 2003
posts:1298
votes: 0


Sample code out public:
[asia.cnet.com...]
8:26 pm on Sept 23, 2004 (gmt 0)

New User

10+ Year Member

joined:Feb 6, 2004
posts:9
votes: 0


Perhaps I am missing something, but my overall impression is that there is no reason to have virus scanning on a pure web server?

Guess I just assumed when users are allowed to upload from the wild that a scan would happen on that stream. My mistake. You guessed right I mainly do e-mail adminstration at the server level and AV. However the web farm, at our org., is not under my AV duties.

You're right about checking files uploaded from the wild, but, the checking now is done to ensure that it is a valid jpeg file (header check) and then, to be sure, there is some re-sizing done, so if it is not a jpeg, then well, the code returns a fail on the upload and it is never posted as a graphic.

In this new vulnerability, it is my impression that this virus is part of a valid jpeg, which is where my original query about the pattern matching comes in (which is what virus software does anyway right?). Just in this case, there is no AV software running on the web server, just the upload manager that ensures the files are valid jpegs.

Also, anyone know of a code chunk that can be scanned for to see if a jpeg contains this virus?

Thanks again for comments,
Dwayne

5:46 am on Sept 24, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Jan 7, 2004
posts:929
votes: 0


So resizing the pic, if not done, is THE solution?
Good news.
9:52 am on Sept 24, 2004 (gmt 0)

Preferred Member

10+ Year Member

joined:Sept 28, 2002
posts:505
votes: 0


To the question about pattern matching and scanning on a web server:
if you are running the snort intrusion detection system, there have heen published some snort rules for bad JPEGs on yesterday's ISC alert page:
[isc.sans.org...]

Regards,
R.

10:23 am on Sept 26, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member zeus is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 28, 2002
posts:3443
votes: 1


You can right click on a jpg picture, like set as background, where is the securit risk there.
This 32 message thread spans 2 pages: 32