critical vulnerability in JPEG images (1 Viewer)

[jeff]

Microsoft warns of critical vulnerability in JPEG images
[PC Pro] 10:14

In its September security bulletin Microsoft has highlighted a 'critical' vulnerability in the processing of JPEG images across a huge swathe of its software products. The bulletin says that a specially built JPEG may cause a buffer overrun which will allow an attack to gain control of the machine.
This might raise a few eyebrows. Firstly, although rumours of image-borne viruses pop up quite regularly, they have turned out to be false alarms or you had to click on the image to run the malware. It now turns out that images simply viewed through a whole host of software from Outlook, to Internet Explorer to Word really can carry malicious code.

Secondly, Windows XP Service Pack 2 was supposed to banish buffer overflows in Windows software to the history books and the good news is that copies of Windows XP who have installed Service Pack 2 are safe from attack. The bad news is that Microsoft decided that its image processing should be consistent across all its products. To ensure that, the vulnerable graphics processing module was built into products such as Office XP, Visio 2002, Project 2002, Office 2003, Visio 2003, and Project 2003 so they would run consistently on older versions of the operating system. Therefore users of these products too need to fit a patch.

Microsoft says that no code exploiting the vulnerabilities have been found in the wild

 

[jeff]

JPEG exploit goes wild
[PC Pro] 11:57

Barely a fortnight following Microsoft's monthly security bulletin highlighting a vulnerability in the way its software handles images using the JPEG format, code to take advantage of the vulnerability has been found on images circulated in the EasyNews Usenet group.
The company says it has found two images containing the code, which - if viewed - would result in software being downloaded that would give a remote attacker access to files on the machine storing the images, as well as free reign to run code on it.

In a posting on the company's site, John Bissell writes: 'Through my limited testing I have found on a unpatched XP SP1 system that if you click the exploit jpeg file in Windows Explorer then you will be hacked.'

The messages state that at one point 93 users were logged on to the IP address from which the exploit was downloading nearly 2MB Trojan and other malicious software. However, a 'quick and nasty' PERL script has been put in place to make sure no such images infiltrate the network again.

The company has also not been able to find any code within the images that would allow it to self-propagate, so in this instance, it isn't classed as a worm.

Code that was able to take advantage of the JPEG bug began circulating on the Internet about a week ago.

As is common with much of the malicious software written to attack Microsoft vulnerabilities, this particular exploit appeared after Microsoft had issued a patch. Hackers often reverse engineer Microsoft's patches in order to create code to exploit the hole that the patch fixed. However, the time between releasing a patch and the appearance of malicious code to exploit the identified vulnerability grows ever shorter. Security experts greatest fear is a 'zero-day' exploit, where hackers launch exploit code less than a day after Microsoft issues a patch, so that no-one has time to update their systems.

 

[Bluetail]

Can't help wondering whether we'd be safer if Microsoft didn't just keep quiet about the holes in its software!

 

[walwyn]

Don't use MS software.

MS get blamed if they do release information and blamed if they don't. If you keep updating your virus checking software and security patches you'll keep the scitp kiddies away.

 

[jeff]

Don't use MS software.

MS get blamed if they do release information and blamed if they don't. If you keep updating your virus checking software and security patches you'll keep the scitp kiddies away.

A few think it's to get you to upgrade to XP SP2 a little quicker ;-) i'm safe, already done