Flaw in Microsoft JPEG Parsing 555
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
If you think looking at images is safe... (Score:5, Funny)
Re:If you think looking at images is safe... (Score:2, Funny)
Re:If you think looking at images is safe... (Score:5, Funny)
Re:If you think looking at images is safe... (Score:4, Funny)
Re:If you think looking at images is safe... (Score:5, Informative)
Re:If you think looking at images is safe... (Score:5, Informative)
Re:If you think looking at images is safe... (Score:5, Funny)
Re:If you think looking at images is safe... (Score:5, Informative)
Note to everyone else, It's safe to click on, but if you don't trust me, just go to time.com and take a look at the cover for the current magazine.
Is that the Windows splash screen? (Score:3, Interesting)
My first thought was that Time was exposing that Microsoft is behind/inside/running the US government.
Then I read the captions, and it's just something about how our borders are still open. Yeah, we're still the free country. No, our fight against terrorism is losing. Yay, we still have rights. No, we want the government to take those rights away. Yay, bring us your poor and tired, or at least they will be once they start working our overtime crazy schedules. No, I
Re:If you think looking at images is safe... (Score:3, Informative)
Re:If you think looking at images is safe... (Score:5, Funny)
2) Goatse is a high bandwidth information highway in itself.
3) Goatse can be a hiding place.
4) Goatse tests the limits of humanity.
I ran out of ideas, AC's of the world please fill in the rest...
Re:If you think looking at images is safe... (Score:3, Funny)
Ever see a photo of Jack Valenti or Michael Eisner? It's sorta like that.
Re:If you think looking at images is safe... (Score:2)
Why? (Score:4, Interesting)
Why doesn't someone sue Microsoft? After all people sue companies all the time even if the product in question has warning labels.
Re:Why? (Score:5, Funny)
Re:Why? (Score:3, Informative)
Re:Why? (Score:5, Insightful)
Other industries don't have that luxury though. An ice cream company can't say put a label saying if you die eating our product we can't be at fault. One reason is that the FDA would go after them. Another reason is nobody would then buy the ice cream. But since it's so common in the software industry, people don't think twice about agreeing to the EULA.
Re:Why? (Score:3, Informative)
It's available, sort of.
It's called a "Service Level Agreement". SLAs are horrendously expensive, but big companies pay up because getting stuck without an SLA is even more expensive.
Re:Why? (Score:5, Insightful)
EULA's are the reason smarter people don't sue. They exempt the software vendor from an unimaginable amount of liability without the user ever knowing unless they read it.
There appears to be nobody in the third group: the group that understands where the problem is but doesn't understand what EULA's do. They'd be the type to sue.
The 4th group, which understands what an EULA does but doesn't understand how computers work, is likely the group that writes EULA's.
Re:Why? (Score:3, Insightful)
Re:Why? (Score:5, Insightful)
Because Microsoft didn't commit the crime. The criminal who used the exploit did. It's fun to suggest things that would get MS in trouble, but if they were sue'able for this, every other product in the world that you like would be in danger, including Linux.
Re:Why? (Score:4, Insightful)
Re:Why? (Score:5, Insightful)
On the other hand Microsoft spent years conditioning people to belive that computers just randomly shred your files.
Re:Why doesn't someone sue LINUX? (Score:3, Informative)
and neither of these are linux, linux is the kernel.
Re:MS can afford to defend itself, small bus. can (Score:3, Insightful)
It's just something to think about. (Like the settle out of court and no one knows about the settlements.)
Re:Why? (Score:3, Funny)
see: http://newegg.com/ [newegg.com]
Combined with airpwn.....wow (Score:5, Insightful)
Man...talk about attack vectors. This would make a killer (as in bad) worm.
IM
Email
Browsers (probably several)
Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.
As usual, the writers of the "mitigating factors" section don't seem to have much imagination.
Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.
Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?
WARNING - useless buzzword alert!!!! (Score:5, Funny)
Aw, c'mon AC, RE: useless buzzword alert!!!! (Score:4, Funny)
You're right, I should have said "Airpwn could leverage the synergies of this vulnerability and streamline the deployment...with or without interactive buy-in by stakeholders"
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
Not the problem (Score:5, Insightful)
The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.
Re:Not the problem (Score:3)
Re:Not the problem (Score:5, Funny)
Lets see....
Ok, check your email now.
Re:Not the problem (Score:5, Insightful)
Re:Not the problem (Score:3, Interesting)
Most people don't know how to turn off images in their browsers much less why they would want to do so.
Re:Not the problem (Score:2, Interesting)
If it's that easy to tell the difference between hostile and benign content, then the differentiation should be done in the application in the first place. If programmers aren't up to doing this, what chance does Joe average user have?
Oh, wait, the programmers did do it, just not the ones that work for M$.
Re:Not the problem (Score:5, Informative)
* Windows XP
* Windows XP Service Pack 1 (SP1)
* Windows Server 2003
* Internet Explorer 6 SP1
* Office XP SP3
Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
* Office 2003
Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
* Digital Image Pro 7.0
* Digital Image Pro 9
* Digital Image Suite 9
* Greetings 2002
* Picture It! 2002 (all versions)
* Picture It! 7.0 (all versions)
* Picture It! 9 (all versions, including Picture It! Library)
* Producer for PowerPoint (all versions)
* Project 2002 SP1 (all versions)
* Project 2003 (all versions)
* Visio 2002 SP2 (all versions)
* Visio 2003 (all versions)
* Visual Studio
Note Visual Studio
* Visual Studio
Note Visual Studio
*
*
*
* Platform SDK Redistributable: GDI+
Re:Not the problem (Score:3, Insightful)
I'm not trying to get both sides of the flame war to attack me, but I -like- Windows 2000. I haven't had to format in a couple years and most of these new security holes pass me by.
If you ask me Windows XP is Windows 2000 + bloat + security holes.
Can anybody give me a convincing reason to "upgrade" to XP? I even own a legitimate hologram cd (of XP) that I got at a
Re:Not the problem (Score:4, Informative)
Re:Not the problem (Score:5, Insightful)
How easy would it be to make a website about almost anything and containing one of these babies?
On a sidenote, would Firefox on Windows be vulnerable? Does it use Microsoft's JPEG library or does it have libjpeg embedded?
Users of WinXP SP2.. (Score:2, Funny)
i knew it! (Score:5, Funny)
Re:i knew it! (Score:4, Informative)
Microsoft rolls their own buggy JPEG reader... (Score:5, Interesting)
Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
Re:Microsoft rolls their own buggy JPEG reader... (Score:3, Informative)
>
> Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
Ah, but in a world of closed-source third-party software, who's "everyone"? Without a sample JPEG as a proof-of-concept of the vector, there's no trivial way to tell whether FooView32.exe v1.03, or BarSee.exe v4.9 uses and/or was built with the affected components.
This is a real-world issue. Anyone
Personal attack... (Score:5, Funny)
Now this. Considering how many bugs are reported in all version of MS software, it is entirely possible that there are PERSONAL bugs. "This one is for Charles. Let's fuck with him."
Sigh...
-Charles
Re:Personal attack... (Score:5, Interesting)
Is anything safe? Should I start telling people, "No, actually nothing is safe, and you should just not use the computer if you don't want it infected with something nasty".
Or just get them Macs.
Re:Personal attack... (Score:5, Insightful)
Basically: as difficult as it is to work with Linux (even Debian unstable. Vis: Wireless USB thingies, USB thingies in general, Kernel 2.6 upgrade + CDRom burning, etc), that pain is reduced 999x over by not having to run Ad-aware ever 2 hours, and not having to worry about patching the bug of the month that allows remote-root worms. At work I admin a little Debian-stable server because our IT/Unix department is mostly l4me, and have it set up to cron @daily apt-get "search for security updates" and email to our group. Get about 1-2 every other month, and that's with Known, Old software (provably more secure after every security bugfix). I can't imagine running windows for anything important. It's like being in middle-school with a big "Kick Me" sign taped to your ass.
--Robert
Back in the day (Score:5, Insightful)
Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.
Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
this isn't the first image exploit (Score:5, Interesting)
if memory serves there was even a png patch for linux this past summer.
gif exploits have been around for a while too.
the real worry here, as with most M$ security releases is how long they knew about it, and whether they waited until SP2 was released so they could say that their new software didn't have that vulnerability.
microsoft security department, we take orders from marketing!
Re:this isn't the first image exploit (Score:5, Informative)
Re:this isn't the first image exploit (Score:4, Informative)
Re:this isn't the first image exploit (Score:3, Informative)
That, if I understand correctly, is what DEP protects against. (Hence the acronym: data execution protection.)
Untrusted data (Score:5, Interesting)
---------
WAP [chiralsoftware.net] software
Re:Untrusted data (Score:3, Insightful)
Secondly, you would then have issues with security problems in the VM. You don't think that would be perfect either do you?
Re:Untrusted data (Score:5, Insightful)
Re:Untrusted data (Score:3, Interesting)
That'll protect against most, but not all, buffer overflows. What it won't protect against are attacks that overwrite the stack and then write a return address to code that'll treat what's on the stack as arguments that make it do something nasty.
Note that these attacks are only guaranteed to succeed if the attacker has access to the same binary as you. Building your own binaries with an obscure compiler (or at least different compiler options) may be of assistance here.
IIRC Intel has always built execute
Microsoft should give up on IE (Score:5, Funny)
They should forget about Internet Explorer and try thier hand on a different line of sofware...
Thank god for ASCII pr0n! (Score:5, Funny)
www.asciipr0n.com [asciipr0n.com]
Re:Thank god for ASCII pr0n! (Score:3, Funny)
Pr0n (Score:3, Funny)
Spin Control (Score:5, Insightful)
I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
Pain in the ass to update (Score:5, Interesting)
Normally, I just read the whitepapers, run a test on a workstation then rollout a Windows update using the free SUS server. This one, I'm going to have to rollout the update (just for XP SP1 users), figure out an update plan for Office, figure out who actually uses those image programs, etc.
And here's a question: SP2 isn't affected. Why didn't they rollout this fix in SP1 *before* rolling out SP2, if they clearly knew it needed fixing. Most companies I know (mine included) are in the middle of testing SP2 migration plans. This adds another wrinkle to the whole process.
Buffer overflows are caused by lazy coders (Score:4, Funny)
Re:Buffer overflows are caused by lazy coders (Score:3, Informative)
Isn't that one of the classic ways a buffer-overflow condition can exist? You're not bothering to check the actual length of your input; you're assuming it will be within bounds.
First rule of secure programming: don't trust the input.
Remember the days? (Score:5, Funny)
Microsoft made it possible.
When you assumed you couldn't get attacked by loading a web page?
Microsoft made it possible, too.
When you sweared you couldn't get infected just by receiving e-mail?
Microsoft made it possible, again.
And now, by the very same people who gave you all that...
The JPEG parser vulnerability!!!
God, this company has really brought innovation to the industry!
It just makes me shudder... (Score:4, Insightful)
... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.
From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...
(That last comment is not meant to be taken too seriously)
This post is only directed towards Todd Walters (Score:5, Funny)
I Told You So.
BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.
Re:This post is only directed towards Todd Walters (Score:3, Funny)
Re:Todd Waters Here (Score:3, Funny)
Nice try for a troll, but you might want to spell your own name correctly next time....
Re:This post is only directed towards Todd Walters (Score:5, Informative)
They start loading the file and pretty much ask it "How big are you"? The file says something like -1. They then say ok, I need -1 memory so lets allocate -1 memory. They then proceed to turn over "ownership" of the entire computer to the image file. They then ask the file "Ok, so where does the next peice of the picture go?". The file then says "Ohhhh, why don't you clobber the most important thing in memory and put the 'picture' there!". The computer then proceeds to grab its next instruction, which now happens to come from the middle of the 'picture'. It just jumps into the middle of the picture as it it were an EXE file.
There are different variations, the stack, the heap, whatever. But that's the general idea.
In some ways it's really stupid for them to accept insane instructions from the picture like that, but on the other hand it's a semi-common and almost reasonable/lazy error. But no matter how you cut it, it is exactly the sort of thing they should have specifically looked for and it's appalling that they allowed it into the shipping product. They did the same sort of thing with bitmap files, they did the same sort of thing with media player files, the same sort of thing all over the place in reading e-mail files, they did in in gopher, they did it all over the browser, they did it freaking everywhere.
-
Every hole in Windows... (Score:4, Insightful)
A buffer overflow can be used to execute arbitrary code
[OT] Speaking of Parsing JPEGs... (Score:5, Funny)
Is there anykind of a browser plug-in I could use to deciper steganographically enhanced JPEG [linux01.gwdg.de] images that might just come over plain old unsuspicious unencrypted http?
GIFs were evil, PNG support lacked transparency, now JPEGs can cause buffer overflows - I'd say that IE has an image problem... Excuse me while I just run away now.
more interesting than you think (Score:3, Interesting)
And that's just what happened. .NET Framework is heavily dependent on GDI+. Now you can use a managed software to hack the system.
no way to force you to open a jpeg? (Score:5, Insightful)
This has got to be one of the stupidest things MS has ever said.
It's called spam!!!
99.999% of email programs and browsers automatically "open" images for viewing
We all get spam
the image can be a logo or something nonsuspicious
embedded in the email
So you only have to read the email
to get infected
Re:no way to force you to open a jpeg? (Score:5, Informative)
Michael
Sexy virus (Score:5, Funny)
Re:Sexy virus (Score:4, Funny)
Sorry... (Score:5, Funny)
Source Leak? (Score:3, Insightful)
Go No Execute Bit! (Score:3, Interesting)
Wow, I mean seriously, wow (Score:5, Insightful)
Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.
It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?
Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.
Re:Wow, I mean seriously, wow (Score:5, Insightful)
Go compare the number of vulnerabilities in IIS6 and Apache 2, you'll be very surprised.
Re:Wow, I mean seriously, wow (Score:5, Informative)
SP2 is not affected (Score:3, Informative)
I'm sick of this (Score:3, Interesting)
I really wish my mom would get broadband so I could install/admin linux from here.
BC
Now I feel somewhat safer (Score:3, Insightful)
Honestly, looking at something like emails -- what does all this "meta deta" add that isn't available from plain text information content? Want a hyperlink, spell out its URL. Want some lines? Play around with hyphens. It's really not so bad, and so so much less dangerous.
My mother doesn't think so (Score:3, Funny)
The MS Bulletin (Score:3, Interesting)
How dumb can they be (Score:3, Funny)
Meanwhile, (Score:5, Funny)
On a completely and totally unrelated topic, does anybody know where I can buy lots of banner ad space in bulk?
Re:Damn It. (Score:5, Insightful)
Re:Damn It. (Score:4, Insightful)
I hope now that png, mp3, and jpg decoders have had vulnerabilities people will be a little more careful in the future.
It isn't necessarily about being careful. If people were that careful about writing all their software, software would take ages to finish writing.
And even then there would still be security flaws. I think the saying about bugs goes something like "Any non-trivial program has at least one bug." I think the same could probably be said for security vulnerabilities.
Sure, we probably shouldn't be seeing buffer overflow exploits anymore considering the amount of attention they have gotten, but it isn't necessarily worth it to go back and review all your code just to find one type of vulnerability when others will be found eventually anyway.
Re:Damn It. (Score:5, Interesting)
Your code is probably full of security holes, just like everybody's, and the fact that you think it's so simple is a clear evidence...
Look, even Knuth was so certain that his code could not possibly be bugged that he promised a prize for the persons who would find bugs. And still, some were found. And we are talking about a program that was mathematically provable, and made by the living god of computer science, damnit !
And you think that your code, which is sitting on dozens of layers speaking to each others in your back, and made with a high level language, cannot possibly have an unknow bug which could cause a security hole ?
If so, then you're a security hole yourself.
Re:Damn It. (Score:3, Interesting)
In Knuth's case, he didn't say "I bet $100,000,000,000 that nobody can find a bug!". He created an incentive for people to review his code for bugs. There's a big difference.
Re:Damn It. (Score:3, Informative)
Here you go!
From Wikipedia:
WARNING! All of these addresses lead directly to the pornographic image described above.
The website is available from at least six other locations, all of which are still up:
http://hick.org/goat/ also http://198.247.175.96/goat/
http://retropay.com/ g oatse/goatse.cx/
http://web.archive.org/web/20030 623201150/http://g oatse.cx/
http://synflood.at/mirrors/goatse.cx/
http://www.goatse.org/mirror/
These sites have the same contents as Goatse.cx before it went dow
Re:Oh my god (Score:5, Funny)
I was surfing porn and got herpies.
That would be soooo funny.
Re:Just plain crappy (Score:4, Interesting)
Re:Just plain crappy (Score:3, Insightful)
Ultimat
Re:Fair Play (Score:5, Insightful)
If you actually knew what you're talking about, you'd know that the JPEG format is definitely not the easiest file format to support, and you'd also know that coding mistakes can happen everywhere, as witnessed daily in the open source community.
So instead of going on an unjustified rant against MS because of something that happen daily everywhere, just chill out.
Open source jpeg libraries? (Score:3, Interesting)
Isn't it a reasonable assumption, that MSFT is using open source JPEG libraries just like anyone else? Shouldn't we audit libjpeg now, just to be sure?