News Major graphics flaw threatens Windows PCs

Hot on the heels (Ok, sort of luke-warmish on the heels) of the PNG vulnerability comes the news of a similar issue with JPEGs. This from News.com:

Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable.

The critical flaw has to do with how Microsoft's operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim's computer as soon as the file is viewed. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images.

The severity of the flaw had some security experts worried that a virus that exploits the issue may be on the way.

More here

Fair play to Microsoft though, having a patch available as the news breaks...

 

Agreed, fair play to MS, but how is it possible that an image file, which is pure data and should have no reason to execute any code, can contain malicious code? Or rather, why does the image display routine have any reason to execute any part of the data as code rather than interpret it as part of the image?

 

I remember a while back when XP first came out someone on IRC sent me a link to some image and after the image finished loading my computer shut down like i clicked start and shutdown.

 

It's a bug in the image handling routine called a buffer overflow. A malicious jpeg would contain more data than the image routine anticipated. When it loads the jpeg's data into the buffer, the extra data, which would be code rather than image information overwrites the 'excecutable' portions of the program's memory. This means when the computer moves onto the next instruction as it normally would, it actually excecutes some cleverly placed malicious code.
This problem is the basis of almost every worm attack like this. Most of the worms that require no user interaction exploit some program's buffer overflow bug.

 

Yawn! Another reason to dump that rubbish browser and get the Fox!

They're close to a final release, you know.

 

Yeah I know that's how it's done (but thanks for the explanation - it's better than I could have explained it!), I suppose I was more just thinking out loud about how shoddily written the image display routine must have been (and many other MS code segments with similar vulnerabilities) to allow an overflow. You'd think the first thing the routine would do would be to count the size of the file and make sure it correllated with the stated size before loading it into memory. Hopefully the new protection bit on AMD's 64 bit processors, and the software protection in SP2, should reduce the hit rate of malware like this!

 

IE doesn't seem to be affected. It's only certain Windows programs that use the bad version of GDI+. There's a full list of what is affected and what isn't and a list of all the available updates here:

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

 

*Cough*Referallink!*cough*

If anyone wanted firefox (i have no idea why anyone would) they can go get it at
http://www.mozilla.org/products/firefox/

 

Yes it's a referal link, so that the guys at Spread Firefox (the official marketing campaign) can keep track of downloads - they are trying to get 1 million in 10 days, and there are 8 days left, with only 312,000 downloads so far!

It's not like I actually get anything out of it... there's no money involved, apart from the money I have actually donated to the Mozilla project, which of course is a loss to me not a gain. I am doing my bit to help a worthy cause.

And why would anyone want Firefox? Because it's a HELL of a lot better than all the other browsers out there. The sooner people realise how crap IE is the better. I only ever use IE for Windows Update or Office Update because they both insist on using ActiveX (a major security flaw in itself).

Ahem, scroll down that page a bit... you'll see Affected Components: Internet Explorer 6 SP1. From looking at that entire list, to me it looks like any Microsoft software that can manipulate or display a JPEG is affected.

 

Actually, this doesn't just affect IE and there's another similar problem around too with png's that affects every browser that supports pgn and every OS. For once, Linux and Mac users aren't safe.

 

So that's why it's listed on Microsoft's page and requires patching? Erm.. ok.

On the PNG front:
PNG vulnerability confirmed in Firefox on 14th July.
Mozilla released Firefox 0.9.3 on 4th August.
News.com reported it on 5th August.
GOO reported it here on 6th August.

Problem sorted.

 

Erm, Mac users are - the PNG flaw was patched a while back.