Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Bug Operating Systems Software Windows IT

Flaw in Microsoft JPEG Parsing 555

KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
This discussion has been archived. No new comments can be posted.

Flaw in Microsoft JPEG Parsing

Comments Filter:
  • by apanap ( 804545 ) on Tuesday September 14, 2004 @05:27PM (#10250682) Journal
    ...you obviously never saw goatse...
  • Why? (Score:4, Interesting)

    by DAldredge ( 2353 ) <SlashdotEmail@GMail.Com> on Tuesday September 14, 2004 @05:28PM (#10250695) Journal
    If a small company releases a product and people get harmed the lawyers decend like a pack of wolves to sue them.

    Why doesn't someone sue Microsoft? After all people sue companies all the time even if the product in question has warning labels.
    • Re:Why? (Score:5, Funny)

      by Anonymous Coward on Tuesday September 14, 2004 @05:30PM (#10250710)
      because any lawyer that has a chance of winning already works for microsoft
    • Re:Why? (Score:3, Informative)

      by jd10131 ( 46301 )
      Four letters: EULA
      • Re:Why? (Score:5, Insightful)

        by Stevyn ( 691306 ) on Tuesday September 14, 2004 @06:05PM (#10251005)
        Yeah exactly. When I saw the grandparent post I slapped my forehead. The EULA clearly states that anything bad that happens to you isn't Microsoft's fault. Most software programs have that same clause in their license. If it weren't for that, Microsoft would have been killed by lawsuits years ago.

        Other industries don't have that luxury though. An ice cream company can't say put a label saying if you die eating our product we can't be at fault. One reason is that the FDA would go after them. Another reason is nobody would then buy the ice cream. But since it's so common in the software industry, people don't think twice about agreeing to the EULA.
    • Re:Why? (Score:5, Insightful)

      by St. Arbirix ( 218306 ) <matthew.townsend ... m ['gma' in gap]> on Tuesday September 14, 2004 @05:47PM (#10250868) Homepage Journal
      I think that the kind of people who sue despite warning labels aren't going to be gunning for their OS Vendor (what's an OS? It's the computer's fault!). The average layman uses Occam's Razor to place blame on a computer. If something goes wrong it's most likely that their child did it or the computer is just broken and IBM or Dell is to blame.

      EULA's are the reason smarter people don't sue. They exempt the software vendor from an unimaginable amount of liability without the user ever knowing unless they read it.

      There appears to be nobody in the third group: the group that understands where the problem is but doesn't understand what EULA's do. They'd be the type to sue.

      The 4th group, which understands what an EULA does but doesn't understand how computers work, is likely the group that writes EULA's.
      • Re:Why? (Score:3, Insightful)

        Then there's the 5th group, who realize that EULAs aren't worth the paper they're not printed on, but don't feel like wasting their personal fortunes fighting a case against a major corporation over what is most likely small claims. (less than $5000 damages)
    • Re:Why? (Score:5, Insightful)

      by NanoGator ( 522640 ) on Wednesday September 15, 2004 @12:20AM (#10253450) Homepage Journal
      "Why doesn't someone sue Microsoft? "

      Because Microsoft didn't commit the crime. The criminal who used the exploit did. It's fun to suggest things that would get MS in trouble, but if they were sue'able for this, every other product in the world that you like would be in danger, including Linux.
  • by flinxmeister ( 601654 ) on Tuesday September 14, 2004 @05:29PM (#10250698) Homepage
    (Glad I stuck with IE 5.01 sp3 on NT)

    Man...talk about attack vectors. This would make a killer (as in bad) worm.

    IM
    Email
    Browsers (probably several)
    Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.

    As usual, the writers of the "mitigating factors" section don't seem to have much imagination.

    Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.

    Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?
    • by Anonymous Coward on Tuesday September 14, 2004 @05:32PM (#10250728)
      The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector". Sanction: exile from use of any computer, writing utensil or paint brush for 10 years.
      • by flinxmeister ( 601654 ) on Tuesday September 14, 2004 @05:41PM (#10250827) Homepage
        The parent post has been flagged for violation of the "Anti Buzzword Use Act". Specific violation: use of the phrase "attack vector".

        You're right, I should have said "Airpwn could leverage the synergies of this vulnerability and streamline the deployment...with or without interactive buy-in by stakeholders"

        Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
  • Not the problem (Score:5, Insightful)

    by MikeMacK ( 788889 ) on Tuesday September 14, 2004 @05:30PM (#10250708)
    "The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image," Microsoft said in a statement. "There is no way for an attacker to force a user to open a malicious file."

    The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.

    • Does this also affect JPEG attachments in Outlook?
    • Re:Not the problem (Score:5, Insightful)

      by Carnildo ( 712617 ) on Tuesday September 14, 2004 @05:33PM (#10250744) Homepage Journal
      Sounds to me like it should be sufficient simply to have a tainted JPEG image on a web page.
      • Re:Not the problem (Score:3, Interesting)

        by Gooba42 ( 603597 )
        Or maybe inject one as an Ad somewhere?

        Most people don't know how to turn off images in their browsers much less why they would want to do so.
    • Re:Not the problem (Score:2, Interesting)

      by suckfish ( 129773 )
      Blaming the victims for opening attachments is silly.

      If it's that easy to tell the difference between hostile and benign content, then the differentiation should be done in the application in the first place. If programmers aren't up to doing this, what chance does Joe average user have?

      Oh, wait, the programmers did do it, just not the ones that work for M$.
    • Re:Not the problem (Score:5, Informative)

      by Carnildo ( 712617 ) on Tuesday September 14, 2004 @05:39PM (#10250811) Homepage Journal
      The full list of affected programs, from Microsoft's site:

      * Windows XP
      * Windows XP Service Pack 1 (SP1)
      * Windows Server 2003
      * Internet Explorer 6 SP1
      * Office XP SP3
      Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
      * Office 2003
      Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
      * Digital Image Pro 7.0
      * Digital Image Pro 9
      * Digital Image Suite 9
      * Greetings 2002
      * Picture It! 2002 (all versions)
      * Picture It! 7.0 (all versions)
      * Picture It! 9 (all versions, including Picture It! Library)
      * Producer for PowerPoint (all versions)
      * Project 2002 SP1 (all versions)
      * Project 2003 (all versions)
      * Visio 2002 SP2 (all versions)
      * Visio 2003 (all versions)
      * Visual Studio .NET 2002
      Note Visual Studio .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002.
      * Visual Studio .NET 2003
      Note Visual Studio .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003.
      * .NET Framework 1.0 SP2
      * .NET Framework 1.0 SDK SP2
      * .NET Framework 1.1
      * Platform SDK Redistributable: GDI+
      • Re:Not the problem (Score:3, Insightful)

        by Thaelon ( 250687 )
        So Windows 2000 is unaffected....I see more and more reasons every day for NOT "upgrading" to XP.

        I'm not trying to get both sides of the flame war to attack me, but I -like- Windows 2000. I haven't had to format in a couple years and most of these new security holes pass me by.

        If you ask me Windows XP is Windows 2000 + bloat + security holes.

        Can anybody give me a convincing reason to "upgrade" to XP? I even own a legitimate hologram cd (of XP) that I got at a .NET launch event, and I've never used it.
        • Re:Not the problem (Score:4, Informative)

          by Methuseus ( 468642 ) <methuseus@yahoo.com> on Tuesday September 14, 2004 @11:34PM (#10253158)
          the only reason I had to upgrade to XP is cause I got it for free and was using a pirated copy of 2000. Plus I found it had much better driver and game support than 2000 even though they are basically the same architecture. Go MS, makig 2 almost identical operating systems incompatible with some early drivers....
    • Re:Not the problem (Score:5, Insightful)

      by JayJay.br ( 206867 ) <100jayto@@@gmail...com> on Tuesday September 14, 2004 @05:42PM (#10250842)
      I would go even further: opening a specially crafted image is automatic if it is inside an HTML page.

      How easy would it be to make a website about almost anything and containing one of these babies?

      On a sidenote, would Firefox on Windows be vulnerable? Does it use Microsoft's JPEG library or does it have libjpeg embedded?
  • by Anonymous Coward
    Are not affected, unless they have Office installed.
  • i knew it! (Score:5, Funny)

    by Coneasfast ( 690509 ) on Tuesday September 14, 2004 @05:30PM (#10250711)
    and i was always telling everyone from the start, download your porn in png format.
  • by Carnildo ( 712617 ) on Tuesday September 14, 2004 @05:30PM (#10250714) Homepage Journal
    ...Everyone else uses libJPEG.

    Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
    • > ...Everyone else uses libJPEG.
      >
      > Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.

      Ah, but in a world of closed-source third-party software, who's "everyone"? Without a sample JPEG as a proof-of-concept of the vector, there's no trivial way to tell whether FooView32.exe v1.03, or BarSee.exe v4.9 uses and/or was built with the affected components.

      This is a real-world issue. Anyone

  • by chill ( 34294 ) on Tuesday September 14, 2004 @05:30PM (#10250718) Journal
    I've been telling people for years "no, you can't get a virus from things like a JPEG picture. You're fine."

    Now this. Considering how many bugs are reported in all version of MS software, it is entirely possible that there are PERSONAL bugs. "This one is for Charles. Let's fuck with him."

    Sigh...

    -Charles
    • by RocketScientist ( 15198 ) * on Tuesday September 14, 2004 @05:34PM (#10250748)
      Before that, I told people for years, "No, you can't get a virus from just opening an email". Then the first "outlook virus that spams everyone in your address book" happened.

      Is anything safe? Should I start telling people, "No, actually nothing is safe, and you should just not use the computer if you don't want it infected with something nasty".

      Or just get them Macs.

      • by Ramses0 ( 63476 ) on Tuesday September 14, 2004 @06:40PM (#10251265)
        I started using Linux 5 years ago (hello Mozilla M12 :^). This was -just- before the internet went to hell with email viruses, worms, spyware, etc. I've just recently bought a Mac laptop (so quiet! :^), and a big factor was that I don't want to deal with windows (ever. except at work, where they do the whole managed deployment things).

        Basically: as difficult as it is to work with Linux (even Debian unstable. Vis: Wireless USB thingies, USB thingies in general, Kernel 2.6 upgrade + CDRom burning, etc), that pain is reduced 999x over by not having to run Ad-aware ever 2 hours, and not having to worry about patching the bug of the month that allows remote-root worms. At work I admin a little Debian-stable server because our IT/Unix department is mostly l4me, and have it set up to cron @daily apt-get "search for security updates" and email to our group. Get about 1-2 every other month, and that's with Known, Old software (provably more secure after every security bugfix). I can't imagine running windows for anything important. It's like being in middle-school with a big "Kick Me" sign taped to your ass.

        --Robert
  • Back in the day (Score:5, Insightful)

    by Eberlin ( 570874 ) on Tuesday September 14, 2004 @05:33PM (#10250734) Homepage
    Call me old school, but remember back in the day when opening e-mail was ok, and that executable attachments were what we watched out for? Images were ok, MIDI files were ok, and a bit later, even MP3 files were ok.

    Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.

    Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
  • by gnat_x ( 713079 ) on Tuesday September 14, 2004 @05:33PM (#10250743)
    there have been lots of image exploits put out there.

    if memory serves there was even a png patch for linux this past summer.

    gif exploits have been around for a while too.

    the real worry here, as with most M$ security releases is how long they knew about it, and whether they waited until SP2 was released so they could say that their new software didn't have that vulnerability.

    microsoft security department, we take orders from marketing!
  • Untrusted data (Score:5, Interesting)

    by ChiralSoftware ( 743411 ) <info@chiralsoftware.net> on Tuesday September 14, 2004 @05:33PM (#10250746) Homepage
    We're going to get burned over and over and over and then we will get burned some more by processing untrusted data (stuff off the net) using any language that has unsafe memory operations. This isn't just a Microsoft problem; we've seen the same problems in zlib (PNG), resulting in vulnerabilities in almost all Linux/Unix apps that handle graphics. We're going to keep seeing these problems until we start handling all unsafe data as if it's got a contagious disease, which means handling it in an isolated environment like a VM.

    ---------
    WAP [chiralsoftware.net] software

    • Re:Untrusted data (Score:3, Insightful)

      by AuMatar ( 183847 )
      First, define trusted data. If you have a user, anything they produce should not be trusted. In other words, EVERYTHING is untrusted data. There's limits to how much you can sandbox and still run applications. Running every app in a VM with no access to any resources other than memory and the CPU wouldn't be a very useful environment. And anything else can't be trusted.

      Secondly, you would then have issues with security problems in the VM. You don't think that would be perfect either do you?
    • Re:Untrusted data (Score:5, Insightful)

      by SpinyNorman ( 33776 ) on Tuesday September 14, 2004 @06:48PM (#10251341)
      What'll go a long way to getting rid of buffer overflow exploits is execute-protected memory, which AFAIK AMD currently has, and Intel is playing catch-up to get. Stack/Heap memory is then non-execute enabled, and if you want to do something tricky like generate code on the fly, then you need to get the OS to allocate memory with execute permission set.
      • Re:Untrusted data (Score:3, Interesting)

        by cthugha ( 185672 )

        That'll protect against most, but not all, buffer overflows. What it won't protect against are attacks that overwrite the stack and then write a return address to code that'll treat what's on the stack as arguments that make it do something nasty.

        Note that these attacks are only guaranteed to succeed if the attacker has access to the same binary as you. Building your own binaries with an obscure compiler (or at least different compiler options) may be of assistance here.

        IIRC Intel has always built execute

  • by blcamp ( 211756 ) on Tuesday September 14, 2004 @05:36PM (#10250766) Homepage

    They should forget about Internet Explorer and try thier hand on a different line of sofware... ...like, say, e-voting.

  • by shawnce ( 146129 ) on Tuesday September 14, 2004 @05:36PM (#10250771) Homepage
    Don't worry folks you can still get your pr0n with out getting a social dease...

    www.asciipr0n.com [asciipr0n.com]
  • Pr0n (Score:3, Funny)

    by MastaBaba ( 530286 ) on Tuesday September 14, 2004 @05:37PM (#10250773)
    Who said looking at Pr0n was safe?
  • Spin Control (Score:5, Insightful)

    by Wanker ( 17907 ) * on Tuesday September 14, 2004 @05:38PM (#10250785)
    From http://www.microsoft.com/technet/security/Bulletin /MS04-028.mspx [microsoft.com]:
    In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.


    I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
  • by SilentChris ( 452960 ) on Tuesday September 14, 2004 @05:41PM (#10250829) Homepage
    While normally I shrug off most Slashdot anti-MS FUD, I've got to admit, this one's going to be a huge pain in the ass to rollout.

    Normally, I just read the whitepapers, run a test on a workstation then rollout a Windows update using the free SUS server. This one, I'm going to have to rollout the update (just for XP SP1 users), figure out an update plan for Office, figure out who actually uses those image programs, etc.

    And here's a question: SP2 isn't affected. Why didn't they rollout this fix in SP1 *before* rolling out SP2, if they clearly knew it needed fixing. Most companies I know (mine included) are in the middle of testing SP2 migration plans. This adds another wrinkle to the whole process.
  • by techno-vampire ( 666512 ) on Tuesday September 14, 2004 @05:45PM (#10250863) Homepage
    You don't allocate a buffer of fixed length unless you're lazy. You find out how long the input is, allocate a buffer big enough to fit then move the input to the buffer. When you're done you deallocate the buffer. Simple, safe and easy. I guess Micro$oft coders never learned how to practice safe hex.
  • by Garabito ( 720521 ) on Tuesday September 14, 2004 @05:46PM (#10250865)
    When you tought you couldn't get a virus by opening a document in a word processor?

    Microsoft made it possible.


    When you assumed you couldn't get attacked by loading a web page?

    Microsoft made it possible, too.


    When you sweared you couldn't get infected just by receiving e-mail?

    Microsoft made it possible, again.



    And now, by the very same people who gave you all that...


    The JPEG parser vulnerability!!!


    God, this company has really brought innovation to the industry!

  • by freshtonic ( 650437 ) on Tuesday September 14, 2004 @05:52PM (#10250904) Journal

    ... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.

    From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...

    (That last comment is not meant to be taken too seriously)

  • by null etc. ( 524767 ) on Tuesday September 14, 2004 @05:53PM (#10250918)
    Todd Walters, remember 12 years ago in college when I told you that an exploit could theoretically take control of an operating system due to a flaw in the library that renders static graphics? And you said that no, only code that has a chance of executing can lead to exploits?

    I Told You So.

    BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.

    • Wow, sounds like sooommmeone got served!
  • by dacarr ( 562277 ) on Tuesday September 14, 2004 @05:54PM (#10250925) Homepage Journal
    Every hole in Windows seems to constitute the following:

    A buffer overflow can be used to execute arbitrary code

    ...or is that just me?

  • by 4of12 ( 97621 ) on Tuesday September 14, 2004 @05:54PM (#10250926) Homepage Journal

    Is there anykind of a browser plug-in I could use to deciper steganographically enhanced JPEG [linux01.gwdg.de] images that might just come over plain old unsuspicious unencrypted http?

    GIFs were evil, PNG support lacked transparency, now JPEGs can cause buffer overflows - I'd say that IE has an image problem... Excuse me while I just run away now.

  • by kiskoa ( 696916 ) <a AT enyim DOT com> on Tuesday September 14, 2004 @05:54PM (#10250928)
    Managed code - in this case .NET - is inherently secured against buffer underruns and code injection, until the VM or and the external components used by the framework do not have buffer underrin bugs.

    And that's just what happened. .NET Framework is heavily dependent on GDI+. Now you can use a managed software to hack the system.

  • by Risto ( 666860 ) on Tuesday September 14, 2004 @05:54PM (#10250929)
    "There is no way for an attacker to force a user to open a malicious file."

    This has got to be one of the stupidest things MS has ever said.

    It's called spam!!!
    99.999% of email programs and browsers automatically "open" images for viewing

    We all get spam
    the image can be a logo or something nonsuspicious
    embedded in the email

    So you only have to read the email
    to get infected
  • Sexy virus (Score:5, Funny)

    by Anonymous Coward on Tuesday September 14, 2004 @05:59PM (#10250960)
    So the next Anna Kournikova virus will actually be a picture of Anna Kournikova
  • Sorry... (Score:5, Funny)

    by keiferb ( 267153 ) on Tuesday September 14, 2004 @06:00PM (#10250966) Homepage
    On Microsoft products, porn screws YOU!
  • Source Leak? (Score:3, Insightful)

    by darkmeridian ( 119044 ) <william.chuang@g ... m minus language> on Tuesday September 14, 2004 @06:04PM (#10250997) Homepage
    A while ago, there was a source leak and someone found a vulnerability in the BMP shell. Is this related to the same thing?
  • Go No Execute Bit! (Score:3, Interesting)

    by LordSah ( 185088 ) * on Tuesday September 14, 2004 @06:05PM (#10251004)
    If you've got SP2 and an AMD64 chip, this is one great reason to use the no execute bit. I'll assume GDI+ won't mark picture data as executable.
  • by Ridgelift ( 228977 ) on Tuesday September 14, 2004 @06:06PM (#10251011)
    Microsoft rates the flaw "important" for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.

    Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.

    It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?

    Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.
  • SP2 is not affected (Score:3, Informative)

    by diegocgteleline.es ( 653730 ) on Tuesday September 14, 2004 @06:11PM (#10251046)
    Sp2 is not affected. It smells like the new compiler switch avoided the flaw. One more reason to install SP2 to your friends & parents...
  • I'm sick of this (Score:3, Interesting)

    by Chuck Bucket ( 142633 ) on Tuesday September 14, 2004 @06:39PM (#10251258) Homepage Journal
    I haven't run windows at home for 2 years, but I still have to talk to my mom, and her neighbors 1000 miles away cause they have Dell's with XP! regardless of what I've done from here their machines just get overrun with viruses or trojans. I've installed spybot, they have Mccafee running (supposedly) and now this.

    I really wish my mom would get broadband so I could install/admin linux from here.

    BC
  • by bigberk ( 547360 ) <bigberk@users.pc9.org> on Tuesday September 14, 2004 @07:23PM (#10251598)
    ...knowing that my mail client [pc-tools.net] doesn't even load images -- it just strips down all that HTML mess to plaintext. I never trusted pretty emails.

    Honestly, looking at something like emails -- what does all this "meta deta" add that isn't available from plain text information content? Want a hyperlink, spell out its URL. Want some lines? Play around with hyphens. It's really not so bad, and so so much less dangerous.
  • by runderwo ( 609077 ) <{gro.niw.liam} {ta} {owrednur}> on Tuesday September 14, 2004 @08:18PM (#10251890)
    She always told me looking at images would make me go blind.

  • The MS Bulletin (Score:3, Interesting)

    by ManuelKelly ( 446655 ) on Tuesday September 14, 2004 @08:46PM (#10252008)
    This is real nasty. It looks like most versions of office as well as MS Works since 2000 are affected. See the Security Bulletin [microsoft.com] Any random word document with an infected embeded jpg is a transfer vector.
  • by dynamo ( 6127 ) on Tuesday September 14, 2004 @09:01PM (#10252149) Journal
    Watch out for next week's critical flaw in MS Hello World.
  • Meanwhile, (Score:5, Funny)

    by Piquan ( 49943 ) on Wednesday September 15, 2004 @02:14AM (#10253993)

    On a completely and totally unrelated topic, does anybody know where I can buy lots of banner ad space in bulk?

He who has but four and spends five has no need for a wallet.

Working...