Image Handling Flaw Puts Windows At Risk

An anonymous reader writes "Microsoft has released word that several image handling flaws may open Windows PCs to Spyware or viruses. From the article: 'We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications.'"

Huh?

[by Anonymous Coward]

Windows wasn't open to spyware and viruses before?

Re:Time to switch to Macintosh

[evw (172810)]

You're confusing exploits with vulnerabilities. There have been plenty of vulnerabilities or haven't you been following all the security updates?

List of security updates for Mac OS X [apple.com]

Take for example Security Update 2005-008 [apple.com]

This update includes the following components:

ImageIO
LibSystem
Mail
QuickDraw
Ruby
SecurityAgent
securityd

Hmm. A security update that touches the ImageIO library?

p.s. before you flame/mod me into oblivion, I'm a happy Mac OS X user. Yes, Windows has way more bugs and a much worse security record. Is OS X invulnerable? No.

Re:Time to switch to Macintosh

[R3d M3rcury (871886)]

Hear hear! Actually, my favorite was the one in ColorSync. Very scary stuff, because some programs ignore ColorSync profiles, so you might still be able to view your images. But Safari and IE do not ignore them...

As an aside, this is where the the comment about "Macs have no viruses because they have low marketshare" holds some sway with me. I agree with everyone who says Macs are more secure than Windows, don't get me wrong. Once your code is running, it's much tougher to do anything to spread a virus in the same way that viruses spread in Windows. But part of it is that nobody really does the immense amount of reverse engineering necessary to write a virus or worm based upon an a published vulnerability. While, with Windows, an entire cottage industry has been built to figure that stuff out because there's money in it.

These things, as with many things in life, do not stem from one reason. Windows has viruses because of poor security. Windows has lots of viruses because of marketshare. Macs have fewer viruses because of better security. Macs have no viruses because of marketshare.

No. No. No.

[Just Some Guy (3352)]

As an aside, this is where the the comment about "Macs have no viruses because they have low marketshare" holds some sway with me.

Apache hosts vastly outnumber everything else combined. Postfix/Sendmail/Qmail/Exim probably have 90% of the email server market. There are many more installations of MySQL than MSSQL. And yet, how many worms have you seen roaring through the Internet unstopped that affect those applications? By any count, relatively very few.

And yet the bad guys, who even have the full s

Re:Time to switch to Macintosh

[PsychicX (866028)]

Normally I'd point out that if MS actually used third party libs for things like PNG and JPEG, they wouldn't have these problems (no more than anyone else, anyway). But since this applies to metafile bitmaps, which basically nobody uses, there's nothing to be done.

DUPE

[42Penguins (861511)]

This vulnerability is a dupe!
Windows has already had an image handling flaw!
Oh, it's Windows. False alarm.

Re:DUPE

[eln (21727)]

Times like this, you wish /. would use some other format for the posting date. Maybe one with the year in, for example. Sheesh.

If only there was some place that you could configure how posting dates are displayed. Perhaps in your user preferences [slashdot.org] somewhere...

Critical Bug?

[geomon (78680)]

Okay, so it is critical. The advisory contains the patch to correct the problem. This only becomes an issue if Windows users don't patch their machines.

What is the likelihood that users won't patch their machines? (cough!)

From TFA:

Mehta doesn't expect the latest Windows flaws to be exploited in a widespread attack. "We're not bracing for any major worm or malware outbreak, but we do expect them to be used in targeted attacks," Mehta said. "There is user interaction required, there has to be someone sitting at the other end in order to be compromised."

Yeah, like viewing an image from usenet. No one ever does that.

Re:Critical Bug?

[Marxist Hacker 42 (638312)]

Not just any image- a MetaFile. Other than when I'm on a Windows Machine using the Clipboard, I stay away from those suckers. They can, and do, contain just about anything.

Re:Critical Bug?

[conJunk (779958)]

What is the likelihood that users won't patch their machines?

Well, it went up on the slashdot mainpage, so that likelihood for a great number of users is a lot lower than it would have been.

The 35 users I'm responsible for just got an email instructing them on how to to do the patch, with links to the patch execs that now live on our local file server.

This model -- (1) Microsoft announces it; (2) I hear about it on /. or security focus (usually both); (3) my users hear about it from me -- works well.

Sure, that's a drop in the bucket for windows PCs, but the point is that the communication chanels are open, and as long as people have the oportunity to hear about these things, we can reasonably expect them to be responsible for implementing them

Of course, that's not an excuse for making vulnerable software in the first place...

Re:Critical Bug?

[Taladar (717494)]

Aren't you putting users at risk when telling them to patch in an Email? After all there are lots of scams with that theme (big vulnerability, patch here, patch is trojan).

Re:Critical Bug?

[shmlco (594907)]

Of course, we also have recent announcements of imaging bugs and vulnerabilities in Apple's QuickTime [zdnet.com] that can allow machines to be hijacked. As such, I gather *nix systems can and do have similar problems.

Re:Critical Bug?

[geomon (78680)]

As such, I gather *nix systems can and do have similar problems.

The volume is different, to be sure. That is probably an artifact of the number of users running the OS.

But your point is well taken; no operating system is immune to attack. Unfortunately, Windows users generally lack the discipline to patch their machines regularly. I don't know many *nix system users who do not perform regular updates.

That probably accounts for the low infection rates of *nix-related system.

Re:Critical Bug?

[geomon (78680)]

So usenet is dead?

Netcraft confirms it!

Re:Critical Bug?

[ozmanjusri (601766)]

So usenet is dead?

alt.binaries.necrophilia has been very quiet lately.

Re:Critical Bug?

[drsmithy (35869)]

I don't trust Microsoft [...]

Then why would you try to install the patch in the first place ? Heck, why would you even be running Windows ?

Managed code

[HeaththeGreat (708430)]

This is why we need more managed code.

An interesting question

[ThePyro (645161)]

Microsoft's .NET platform, which is supposed to be managed code, has built-in support for rendering WMF and EMF images (the image formats that are affected by this security vulnerability). So are applications written in .NET still vulnerable to the buffer overflow exploit, or was the underlying rendering code rewritten for the managed environment?

Writing managed applications won't protect you (completely) if the underlying framework isn't also managed.

Re:An interesting question

[dgatwood (11270)]

No, it isn't. There are plenty of ways to fix programming languages so that they don't have a risk of buffer overflow exploits without the performance hit of some bloated vitual machine. All that is really required is for there to be a lot stricter checking when doing operations involving pointers.

Change the following:

1. No static buffers. All buffers declared in a static fashion should be replaced by run-time dynamic buffers of the same size. This way all data objects are managed by malloc. This cre

Re:An interesting question

[SilverspurG (844751)]

How about we just raise the bar on coding practices and actually secure programming? Maybe we could teach strict logic flow structures.

The biggest excuse I hear from programmers for why they've violated strict logic flow is always,"Well, I was coding for speed and efficiency". With 3.0+GHz machines, what does it matter anymore? It's all a lot of hooey, too. The person learned that excuse from someone in 8th grade and they've latched onto it. When pressed they rarely even know what logical structure they've violated. They only know the excuse.

I think the biggest problem facing us is the inundation of object oriented programming languages. There's very little need to learn the strict mathematics of programming anymore. It is this laziness, and not any particular language, which is the root cause of the problem. Programming environments with sandboxes (ie. Java) are band-aids to a bigger problem.

The problem is with lazy programmers.

Re:An interesting question

[UncleFluffy (164860)]

The problem is with lazy programmers.

I've posted this before on Slashdot, so apologies for the dupe, but...

My first technical question in an interview is "what is wrong with this C code?"

void echo(void) { char *s; gets(s); puts(s); }

Over 50% of the "experienced C coders" I interview fail to get the answer right, and this has been a constant for about the last five years. Scary, isn't it? What's even scarier is when an employer hires them after I've flagged this in the post-interview chat.

what is wrong with that code

[r00t (33219)]

You might hit unwritable (possibly unmapped or kernel) memory before your uninitialized pointer overflows the stack. This makes the backdoor very unreliable. Also, on a 64-bit machine, you might have to transfer many terabytes of data.

Fixed code:

void echo(void) { char S; char *s= gets(s); puts(s); putchar('\n'); }

Note that the fixed code neatly avoids many stack protection mechanisms by not using a normal array. An improvement would be to use a more interesting struct to hold the data, with enough room to h

Re:what is wrong with that code

[UncleFluffy (164860)]

The code was different when I posted it. As usual, Slashdot eats my punctuation

Yeah, yeah, "the dog ate my homework". Heard it before ... ;-)

Re:An interesting question

[cbiltcliffe (186293)]

I was going to point out that "unnessacerally" was spelled incorrectly. I was then going to suggest that you could use Google as a spell checker, by typing your spelling into it, and seeing what it suggested with its "Do you mean...." thing.

Then I went and typed that spelling into Google, and found out that enough people have spelled it incorrectly on the web that Google doesn't know how to correct it, and suggests another incorrect spelling.

Correct spelling is "unnecessary".

Now, mod me down as a pedantic twit.

Re:Managed code

[plalonde2 (527372)]

But all the managed code's libraries weren't necessarily written in managed code. It's easy to see how "trusted" formats can have various pointer-arithmetic unchecked. Consider an image format that includes an offset to the start of some of its data: intercept the image, change the offset, and off you go at least feeding bad data to the application. Few loaders check that all these kinds of binary data are in range, programmers are lazy and just add the offset to their pointer :-( I guess more and more

Re:Managed code

[Johnno74 (252399)]

I think the GP post's point is the loader should be written in a managed language... and I agree. Eventually I think we'll see unmanged code regarded in the same way as inline assembly is today - great for the places where you need absolue balls to the wall performance, but otherwise stay away from it.

Lets face it, except for corner cases managed code is usually within a few % of the same speed as unmanaged code, and that few % isn't always on the slow side either.

Of course its possible to write crap manag

Practice safe image viewing folks!

[nizo (81281)]

Or your computer could get an STD (Screenally Transmitted Disease) from viewing pornographic images.

Re:Practice safe image viewing folks!

[oberondarksoul (723118)]

I get enough funny looks from my housemates already. I am not putting a condom over my monitor.

Ack!

[rubberbando (784342)]

So now not only will looking at the goatse picture make you vommit, it will take over your Windoze PC!

Will the horrors ever stop?!!

MSN Messenger felled by this months ago

[saskboy (600063)]

Both jpg and png was flawed in Windows, MSN Messenger, and even other image apps by a buffer overflow exploit where a specially crafted jpeg file with a virus "attachment" would crash the program and execute virus code. I have to agree that if they are still finding flaws, we'll be stuck with them for a while. Just imagine, every Windows 98 computer out there probably has this problem too, and there's no way it's going to be really fixed. It will never be safe to run even "safe" things like jpg and mp3 on old computers now. It's very, very disapointing news.

In a Messenger program that is always accepting new input in the form of pictures and messages, it's especially dangerous because anyone who's online will instantly become a zombie spewing out infection to their friends on their contact list. You really will get viruses through your personal contacts more than spamming-strangers in the future.

Re:MSN Messenger felled by this months ago

[webzone (924183)]

the current flaw affects WMF (Windows Metafile) and EMF (Enhanced Metafile) file formats only. This is not the same thing as any jpeg or png-related vulnerability

Ironic. 9x not affected.

[Tackhead (54550)]

> Just imagine, every Windows 98 computer out there probably has this problem too,

Ironic.

Non-Affected Software:
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)

- MS05-053 [microsoft.com] security bulletin

The usual MS obfuscation for "because we don't support 9x anymore, by definition there are no critical updates for 9x" is to state that 9x is "Not Critically Affected", with a URL to a page that defines "critically affected" in such a way as to exclude 9x.

"Not Affected", as claimed in MS05-053, is a stronger claim. That's not to say there aren't similar bugs in image-handling in 9x; only that the hole in this notice probably doesn't affect 9x.

Of Course

[NanoGator (522640)]

Of course, I think the developers who left these vulnerabilities open should be financially responsible for the damage this may cause.

When writing a parser, length checking is a must

[Harry Balls (799916)]

When writing a parser (for a graphical or non-graphical data file) it is advisable to sanity check the input data at every step.

Consider ASN.1 data (used, for instance, for digital certificates, certificate revocation lists, certificate requests and so on).
Each and every ASN.1 data element and each and every sub-element contains a length field. The ASN.1 parser should check whether the length field of a sub-element goes beyond the length of the enclosing data element, and so on ad infinitum.
If the parser detects a violation, parsing stops.

phishy... phishy...

[lcde (575627)]

'We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications.'

In a later interview:"Only one known product suite on the market can protect you from these ongoing threats. MS-AntiVirus and MS-AntiSpyware. Only these two programs are equipt with the proper image handling algorithims to detect these known flaws inherent in all programs."

This seems like a big scheme to get people on their proprietary AV and AntiSpyware programs. Lets see... Find hole, fix hole, release press release about hole, plug product, patch hole for product users.

eesh.we will see.

typical case of code-based formats

[radarsat1 (786772)]

The WMF and EMF formats are just basically little programs full of GDI instructions. When you create one, you execute a bunch of GDI calls, with the WMF file as your Device Context. So essentially it's a shortcut-- an "easy" way to create a file format, based on the structure of the operating system's drawing code. I don't know about how the potential exploit works, but at first glance it seems like this is a typical case of designing a file format for "code convenience". Loading the file basically consists of loading a series of instructions and executing them. Now THAT sounds like a good idea! Easy to code for, but also easy to take advantage of. In other words, it's a lazy approach to coding. Lesson to be learned: File formats can be complicated! They must be designed to be a good *format*, not just to make coding easier. The more Microsoft designs its own file formats for each new technology it comes up with, the more we'll see this kind of thing. Better to find out what file formats are already out there, finding one that suits your needs, and supporting THAT, instead of coming up with one on your own. This is a case of re-inventing the wheel, badly.

Re:typical case of code-based formats

[cnettel (836611)]

Oh, a file format based on instructions, just like, uh, PostScript?

If you want detailed control over layout, especially with low overhead for rendering, an instruction based approach is quite good. The point is that no GDI call, in itself, should be able to mess things up and simple parameter validation of the WMF input should be enough when spooling the calls.

(Hey, Postscript is even Turing complete. There's nothing wrong with describing a picture as instructions to a state machine with some rendering primitives.)

Besides, WMF is 15+ years old now. The availability of formats for vector graphics that matched the features of GDI (while not being expensive, money-wise or performance-wise, to render by GDI) back then was a bit different. The format has never been used much for real files, but quite a lot for clipboard transfer of vector data (Excel graphs and whatnot).

Re:typical case of code-based formats

[elsilver (85140)]

Loading the file basically consists of loading a series of instructions and executing them. Now THAT sounds like a good idea!

I'm sorry, but how does this differ from any other vector-based graphics file format? Of course it's the instructions for how to draw the item. Of course they are executed. What else would you want them to do?

This is also how Postscript and PDF work. Actually post script is more than simple instructions, it is actually a programming language. This is part of why Apple/NeXT cho

Sorta like this quicktime one

[MushMouth (5650)]

While I hold no place in my heart for microsoft. Quicktime [com.com] appears to be having a very similar problem. But also remember that the libjpeg and libz also had similar problems exploitable on Linux patched in the last year. Expecting an OS, ANY OS to save you is a bigger security threat than some exploitable jpeg code.

I like this line of Grade-A bullshit....

[HotNeedleOfInquiry (598897)]

"We will continue to see this type of vulnerabilities in every major application for the foreseeable future ... It is not just images, but any type of complex file format. This is something that security researchers and hackers have realized to be a weak point in many applications."

If a programmer is taking the time and effort to interpret a complex file format, why can't he also take the time to validate it.

Re:I like this line of Grade-A bullshit....

[cnettel (836611)]

Of course you are right, but you are also ignorant if you don't realize that writing something that seems to interpret every valid file correctly is far easier than writing something that will accept every valid file and reject any invalid file, gracefully. Not to be said that it can't be done or that it shouldn't have been done. Just that it's far more difficult. Even when it's short and seems rather solid. zlib, anyone?

The real threat

[griffinn (240043)]

"Microsoft has released Word"

That is the real threat, my friend.

This is probably going to get modded as funny, but

[Patchw0rk F0g (663145)]

...I've been trying to get porn flash ads off MSNBC and Yahoo for weeks now, at home, when at work the sites are just fine. Spyware, right? Well, Spybot, Norton, and AdAware say... a resounding "No". Nothing there. Yet the front page of MSNBC and my Yahoo mail still have ads for some guitar software, daBoink.com, and some fucked-up screensaver rotating with nauseating frequency.

Oh, and before you ask... twice a week virus scans, two noted spyware blockers, and a reliable firewall. How reliable? Shit, /. port-scans me every time I freakin' post!

Okay, now go on and say it... all together now... "Serves... YOU... ......."

I've got the solution!

[SeaFox (739806)]

Only use plain text email and turn off all image loading in Internet Explorer!

Not only will this stop the spread of viruses, it will drive hundreds of thousands of noobs off the internet. Usenet will be stored to it's former glory and AOL will go out of business. Marketshare of Linux and MacOSX will skyrocket and peace and balance will be restored to the Force!

Adblock filters

[TopSpin (753)]

Add *.wmf and *.emf to your adblock filters (I presume if you browse with Windows you're using Firefox and Adblock, otherwise...) These formats hardly ever appear on the web. If you see one, it's probably an exploit.

Re:Another brownie point for the cause of DRM?

[plover (150551)]

I'm not sure how you extrapolated that. What makes you think the DRM code is going to be somehow "more resistant" to buffer exploits? It just shifts the focus from the "media viewer" portion to the "DRM decoder" portion of the software. But there are still buffers involved.

Besides, if you're passing "unprotected" content around you'll still have these issues. Not every JPG is going to suddenly be digitally signed and encrypted. Assuming the same "media viewer" application, you'll have the same bugs.

If anything, the DRM code just adds another layer of interpretation that's open to attack, making your system "less safe" rather than "more safe." More code == more potential for bugs.

Guy is from Internet Security Systems

[badriram (699489)]

Internet Security Systems != Microsoft.

This has nothing really to do with IE. IE here just happens to be a vector. If FF on windows was depending on those libraries to display those image formats they would be vulnerable as well.

Re:To Finish Microsoft's Quote.....

[drsmithy (35869)]

Lemme finish off that ... for them. "... until we learn that integrating IE directly into the OS was the biggest fuckup we ever made."

Let me guess, you're one of these dimwits who think "integrating IE directly into the OS" means it's part of the kernel ?

Re:complex file formats?

[Xyrus (755017)]

XML == Big fat files.
Binary == Little compact files.

Plus add the parser, schema, etc. and you got yourself a big chunk of bloat. A simple RIFF style binary file with GOOD coding practices will be much smaller and more efficient.

Good example: At a past employer, we wrote software that would generate output data files. They used to be binary, and were roughly 25 to 30 KB in size. Then the whole XML hype set in and our customers just had to have it all in XML. Now output files are between 1 and 2 MB, plus roug

Re:What the hell is it about buffer overflows?

[HermanAB (661181)]

The main cause is the C string operators, which traditionally use Null terminated strings. So the potential length of a string is unlimited. In Linux, functions like gets() are (have been) phased out in favour of getsn(), which has an explicit length:
int getsn(char *cp, int size);

This has been a huge effort executed using automated search methods and hand coding, to vet enormous amounts of Free code. Consequently the quality of GNU systems have improved dramatically, while the same cannot be said for MS code.

The problem is that if you overflow a buffer defined on the processor stack, then you can force a new return address into the Program Counter when a routine exits, thus giving the attacker control over the next piece of code to execute. This pice of code is typically part of the string that was used to overflow the buffer.