PDA

View Full Version : M$ JPG Vulnerability



Davros
09-26-2004, 10:20 PM
The following news article discusses a vulnerability in M$ software where the simple act of viewing a jpeg on the internet can be used as a mechanism to run malicious code on a client machine.

http://news.bbc.co.uk/1/hi/technology/3684552.stm

I'm not sure I understand this. The only way this makes sense to me is that M$ software is secretly using jpegs to store executable code.

This can't possibly be correct as such an implementation is insane. Even M$ can't be this inept/underhand. Can they? Or have I misunderstood things completely?

Any thoughts?

no-one
09-26-2004, 10:29 PM
you've misunderstood completely, i think whats involved is a buffer overflow, and it does not just effect Browsers it effects ANYTHING using GDI+ jpeg capabilities.

jverkoey
09-26-2004, 10:35 PM
Yaaah...how can an image format be run as code...? Only thing I can think of is buffer overruns...possibly...but shouldn't most buffer overruns be covered? Or I'm on crack...it just seems weird that a data file that's read in can be executed with its own commands..


-edit
yah, no-one said what i just said kinda...

anonytmouse
09-26-2004, 10:37 PM
Buffer Overrun Attacks (http://www.rootsecure.net/content/downloads/pdf_downloads/buffer_overruns.pdf) - (See Also) (http://community.core-sdi.com/~juliano/smashing/P49-4-Smashing_the_stack.txt)

Integer Manipulation Attacks (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure04102003.asp) - (See Also) (http://www.eweek.com/article2/0,1759,1545382,00.asp)

The JPG bug is a integer manipulation/heap overrun exploit. (http://www.eweek.com/article2/0,1759,1646424,00.asp)

I was under the impression that IE(and other browsers) were not affected.

Davros
09-26-2004, 10:37 PM
>you've misunderstood completely

OK. I think I am happy to have got that one wrong.

no-one
09-26-2004, 10:43 PM
buffer overruns involve some "seemingly" complicated stuff, that im neither prepared or willing to get into... and being not incredibally familiar with the subject, in my understanding of it, it involves a number very specific complicated changes to the JPEG to do.

but my main concern is the damage all these MASSIVE vunerabilities are doing to the market, because of the literally forced switching to not all that heavily security tested or attacked browsers...

and then the fact that i read an artical claiming MS would no longer patch IE for anything other than WinXP

jverkoey
09-26-2004, 10:50 PM
MS's screwed up. They're running around like chickens with their heads cut off, spreading themselves thin over so many markets that they're going to just kinda fizzle out (at least I imagine this happening pretty soon).

Personally, SP2 fux0red up my system (sorry for the l33t there, don't care to be really silly in this sentence) by not allowing me to even use the internet anymore after i installed it, and the firewall wasn't even turned on (NO firewalls were turned on)

Nyda
09-26-2004, 10:54 PM
Buffer overruns are fun. We had to "hack" a few "bombs" and other programs in classes at the university. It's not really that complicated if you know where the vulnerability is. It requires a little assembler knowledge but you don't need to be a guru to do it.
That's probably what makes it so dangerous. That and the fact that everybody in the windows world uses the exact same programs so a small vulnerability affects a massive amount of users.

This (http://www.informatik.uni-kiel.de/%7Ert-teach/ss04/v-arch/assignments/buflab.pdf) is one of the assignments we had to do. It was actually a lot of fun, even though the "bomb" makes it easy as it uses a normalized stack. Only the last part of the assignment uses a random stack.

BMJ
09-27-2004, 12:32 AM
All cool people on the interweb enjoy jumping on the Microsoft (or should I say, Micro$oft, heh heh heh!) hate-wagon. It's very clever and original!


anyway...


Considering that this only affects GDI+ functionality, and that it was patched 2 weeks ago... yea whatever. :)

Who would have guessed that dutiful hackers could find a stack overflow exploit in something M$ (heh heh heh!) wrote?

nvoigt
09-27-2004, 12:59 AM
Humans make mistakes and Microsoft is the largest sum of people to make mistakes that influences the most target machines, so it's very likely that bugs will be found and exploits will be written.

This bug seems to be in the GDI+ libraries, so any programm using this libraries will be vulnerable. Does that mean that all those vulnerable programms have this library statically linked ? Interesting question *g*

Any program accepting user input ( JPG bytes in this case ) can contain errors which in turn might be exploitable.

It has been announced, a fix from Microsoft has been out for two weeks, my best guess is that a virus will hit in the middle of the next week and devastate a number of machines far greater than netsky. I would not mind if it wouldn't be for the SPAM I'd get as result.

( Interesting assignment btw. I would have liked that one )

jverkoey
09-27-2004, 01:40 AM
All cool people on the interweb enjoy jumping on the Microsoft (or should I say, Micro$oft, heh heh heh!) hate-wagon. It's very clever and original!

Meh, I'm just annoyed that SP2's been causing so many problems (with me at least)...but then again, my entire laptop's been giving me problems lately.