Slashdot Log In
Flaw in Microsoft JPEG Parsing
Posted by
timothy
on Tue Sep 14, 2004 05:26 PM
from the some-sites-have-more-than-others dept.
from the some-sites-have-more-than-others dept.
KDan writes "As reported by numerous sources, a new vulnerability has been disclosed (and patched) by Microsoft. This one concerns the parsing of JPEGs in XP Microsoft applications. A buffer overflow can be used to execute arbitrary code. So all those times you told your parents/friends that looking at images was safe - well, not anymore."
This discussion has been archived.
No new comments can be posted.
Flaw in Microsoft JPEG Parsing
|
Log In/Create an Account
| Top
| 555 comments
(Spill at 50!) | Index Only
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
|
2
(1)
|
2
If you think looking at images is safe... (Score:5, Funny)
(Last Journal: Saturday October 02 2004, @03:42PM)
Re:If you think looking at images is safe... (Score:5, Funny)
Re:If you think looking at images is safe... (Score:4, Funny)
Re:If you think looking at images is safe... (Score:5, Informative)
(http://www.iit.edu/~kbloom1/)
Re:If you think looking at images is safe... (Score:5, Informative)
Re:If you think looking at images is safe... (Score:5, Funny)
Re:If you think looking at images is safe... (Score:5, Informative)
(http://www.dallapieta.it/ | Last Journal: Tuesday July 31, @01:11PM)
Note to everyone else, It's safe to click on, but if you don't trust me, just go to time.com and take a look at the cover for the current magazine.
Re:If you think looking at images is safe... (Score:5, Funny)
2) Goatse is a high bandwidth information highway in itself.
3) Goatse can be a hiding place.
4) Goatse tests the limits of humanity.
I ran out of ideas, AC's of the world please fill in the rest...
Why? (Score:4, Interesting)
(Last Journal: Sunday October 14, @10:49PM)
Why doesn't someone sue Microsoft? After all people sue companies all the time even if the product in question has warning labels.
Re:Why? (Score:5, Funny)
Re:Why? (Score:4, Insightful)
(http://nice.sourceforge.net/ | Last Journal: Wednesday August 11 2004, @11:16AM)
Re:Why? (Score:5, Insightful)
(Last Journal: Wednesday January 15 2003, @02:17AM)
On the other hand Microsoft spent years conditioning people to belive that computers just randomly shred your files.
Re:Why? (Score:5, Insightful)
Other industries don't have that luxury though. An ice cream company can't say put a label saying if you die eating our product we can't be at fault. One reason is that the FDA would go after them. Another reason is nobody would then buy the ice cream. But since it's so common in the software industry, people don't think twice about agreeing to the EULA.
Re:Why? (Score:5, Insightful)
(http://www.clemsontalk.com/vb/member.php?u=954 | Last Journal: Thursday September 15 2005, @06:20PM)
EULA's are the reason smarter people don't sue. They exempt the software vendor from an unimaginable amount of liability without the user ever knowing unless they read it.
There appears to be nobody in the third group: the group that understands where the problem is but doesn't understand what EULA's do. They'd be the type to sue.
The 4th group, which understands what an EULA does but doesn't understand how computers work, is likely the group that writes EULA's.
Re:Why? (Score:5, Insightful)
(http://www.ferion.net/ | Last Journal: Monday May 06 2002, @02:16AM)
Because Microsoft didn't commit the crime. The criminal who used the exploit did. It's fun to suggest things that would get MS in trouble, but if they were sue'able for this, every other product in the world that you like would be in danger, including Linux.
Combined with airpwn.....wow (Score:5, Insightful)
(http://www.mikeshaw.net/)
Man...talk about attack vectors. This would make a killer (as in bad) worm.
IM
Email
Browsers (probably several)
Anything....heck just copy exploit code to every accessible jpg file on a machine and/or network.
As usual, the writers of the "mitigating factors" section don't seem to have much imagination.
Remember the airpwn project? You could trojan/crack every unpatched machine on a wireless network who pulls up a web browser. And what about those folks who whacked interlands proxies to inject code? Just inject jpgs.
Does anyone know if this can be 'stealth' injected into a JPG (like some of those mp3 issues), or is it standalone exploit code?
WARNING - useless buzzword alert!!!! (Score:5, Funny)
Aw, c'mon AC, RE: useless buzzword alert!!!! (Score:4, Funny)
(http://www.mikeshaw.net/)
You're right, I should have said "Airpwn could leverage the synergies of this vulnerability and streamline the deployment...with or without interactive buy-in by stakeholders"
Seriously, if you're going to be cute about buzzwords, at least wait until someone uses a real buzzword..."attack vector" is a real term and hasn't reached convergence in the buzzword mindshare yet.
Not the problem (Score:5, Insightful)
The problem is not "forcing" people to open attachments, the problem has always been that people open attachments.
Re:Not the problem (Score:5, Funny)
Lets see....
Ok, check your email now.
Re:Not the problem (Score:5, Insightful)
(http://www.crfh.net/ | Last Journal: Tuesday November 14 2006, @02:47PM)
Re:Not the problem (Score:5, Informative)
(http://www.crfh.net/ | Last Journal: Tuesday November 14 2006, @02:47PM)
* Windows XP
* Windows XP Service Pack 1 (SP1)
* Windows Server 2003
* Internet Explorer 6 SP1
* Office XP SP3
Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
* Office 2003
Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
* Digital Image Pro 7.0
* Digital Image Pro 9
* Digital Image Suite 9
* Greetings 2002
* Picture It! 2002 (all versions)
* Picture It! 7.0 (all versions)
* Picture It! 9 (all versions, including Picture It! Library)
* Producer for PowerPoint (all versions)
* Project 2002 SP1 (all versions)
* Project 2003 (all versions)
* Visio 2002 SP2 (all versions)
* Visio 2003 (all versions)
* Visual Studio
Note Visual Studio
* Visual Studio
Note Visual Studio
*
*
*
* Platform SDK Redistributable: GDI+
Re:Not the problem (Score:4, Informative)
Re:Not the problem (Score:5, Insightful)
How easy would it be to make a website about almost anything and containing one of these babies?
On a sidenote, would Firefox on Windows be vulnerable? Does it use Microsoft's JPEG library or does it have libjpeg embedded?
i knew it! (Score:5, Funny)
Re:i knew it! (Score:4, Informative)
(http://trypticon.org/)
Microsoft rolls their own buggy JPEG reader... (Score:5, Interesting)
(http://www.crfh.net/ | Last Journal: Tuesday November 14 2006, @02:47PM)
Any bets on how long it'll be until someone finds either a hole in the Microsoft PNG decoder or libJPEG? We've had holes in libPNG and Microsoft's JPEG decoder.
Personal attack... (Score:5, Funny)
(http://www.howtobeinvisible.com/ | Last Journal: Thursday October 04, @07:42AM)
Now this. Considering how many bugs are reported in all version of MS software, it is entirely possible that there are PERSONAL bugs. "This one is for Charles. Let's fuck with him."
Sigh...
-Charles
Re:Personal attack... (Score:5, Interesting)
Is anything safe? Should I start telling people, "No, actually nothing is safe, and you should just not use the computer if you don't want it infected with something nasty".
Or just get them Macs.
Re:Personal attack... (Score:5, Insightful)
Basically: as difficult as it is to work with Linux (even Debian unstable. Vis: Wireless USB thingies, USB thingies in general, Kernel 2.6 upgrade + CDRom burning, etc), that pain is reduced 999x over by not having to run Ad-aware ever 2 hours, and not having to worry about patching the bug of the month that allows remote-root worms. At work I admin a little Debian-stable server because our IT/Unix department is mostly l4me, and have it set up to cron @daily apt-get "search for security updates" and email to our group. Get about 1-2 every other month, and that's with Known, Old software (provably more secure after every security bugfix). I can't imagine running windows for anything important. It's like being in middle-school with a big "Kick Me" sign taped to your ass.
--Robert
Back in the day (Score:5, Insightful)
Of course if the same codebase were used then, it NEVER was ok...but we sure thought things were juuuust fine.
Is this any way related to the leaked code that led to a vuln discovery regarding BMP files? I know it's a different format but seems like parsing image files spells some trouble.
this isn't the first image exploit (Score:5, Interesting)
if memory serves there was even a png patch for linux this past summer.
gif exploits have been around for a while too.
the real worry here, as with most M$ security releases is how long they knew about it, and whether they waited until SP2 was released so they could say that their new software didn't have that vulnerability.
microsoft security department, we take orders from marketing!
Re:this isn't the first image exploit (Score:5, Informative)
Re:this isn't the first image exploit (Score:4, Informative)
Untrusted data (Score:5, Interesting)
(http://chiralsoftware.net/)
---------
WAP [chiralsoftware.net] software
Re:Untrusted data (Score:5, Insightful)
Microsoft should give up on IE (Score:5, Funny)
(http://www.blcamp.com/)
They should forget about Internet Explorer and try thier hand on a different line of sofware...
Thank god for ASCII pr0n! (Score:5, Funny)
(http://slashdot.org/)
www.asciipr0n.com [asciipr0n.com]
Pr0n (Score:3, Funny)
Spin Control (Score:5, Insightful)
I like the phrase "no way to force users to visit a malicious Web site". How many users have image views enabled in their mail client? How hard would it be for a shady advertiser or a hacked advertiser to include a malicous JPEG as a banner ad?
Pain in the ass to update (Score:5, Interesting)
(http://slashdot.org/)
Normally, I just read the whitepapers, run a test on a workstation then rollout a Windows update using the free SUS server. This one, I'm going to have to rollout the update (just for XP SP1 users), figure out an update plan for Office, figure out who actually uses those image programs, etc.
And here's a question: SP2 isn't affected. Why didn't they rollout this fix in SP1 *before* rolling out SP2, if they clearly knew it needed fixing. Most companies I know (mine included) are in the middle of testing SP2 migration plans. This adds another wrinkle to the whole process.
Buffer overflows are caused by lazy coders (Score:4, Funny)
(http://zeff.us/)
Remember the days? (Score:5, Funny)
Microsoft made it possible.
When you assumed you couldn't get attacked by loading a web page?
Microsoft made it possible, too.
When you sweared you couldn't get infected just by receiving e-mail?
Microsoft made it possible, again.
And now, by the very same people who gave you all that...
The JPEG parser vulnerability!!!
God, this company has really brought innovation to the industry!
It just makes me shudder... (Score:4, Insightful)
(Last Journal: Monday May 17 2004, @05:30AM)
... at the horrendous software implementation errors that people are still making in this day and age. *There is no reason for buffer overflows to happen* . Every PC bought in the last five years (at least) is fast enough to bounds check every array / buffer access for all but the most performance-driven applications. Loading a JPEG from a stream is IO-bound enough for bounds checking to be negligible.
From what I read, I gather that buffer overflows account for a large portion of all platform vulnerabilties - Intel & AMD have even implemented a 'no execute' feature in their latest CPUs to go someway to counteract this. I see this as useful, but perhaps overkill - it is *simple* to avoid buffer overflows and the 'no execute' feature could potentially impede devlopment of programs that generate code on the fly (such as Java VMs). The low-level programmers that have been developing C for 20 years just need re-educating. Somebody should tell them computers run at more than 8mhz now...
(That last comment is not meant to be taken too seriously)
This post is only directed towards Todd Walters (Score:5, Funny)
I Told You So.
BTW if you see this leave me a post, I haven't heard from you in 12 years and I don't know where you are.
Re:This post is only directed towards Todd Walters (Score:5, Informative)
(http://slashdot.org/)
They start loading the file and pretty much ask it "How big are you"? The file says something like -1. They then say ok, I need -1 memory so lets allocate -1 memory. They then proceed to turn over "ownership" of the entire computer to the image file. They then ask the file "Ok, so where does the next peice of the picture go?". The file then says "Ohhhh, why don't you clobber the most important thing in memory and put the 'picture' there!". The computer then proceeds to grab its next instruction, which now happens to come from the middle of the 'picture'. It just jumps into the middle of the picture as it it were an EXE file.
There are different variations, the stack, the heap, whatever. But that's the general idea.
In some ways it's really stupid for them to accept insane instructions from the picture like that, but on the other hand it's a semi-common and almost reasonable/lazy error. But no matter how you cut it, it is exactly the sort of thing they should have specifically looked for and it's appalling that they allowed it into the shipping product. They did the same sort of thing with bitmap files, they did the same sort of thing with media player files, the same sort of thing all over the place in reading e-mail files, they did in in gopher, they did it all over the browser, they did it freaking everywhere.
-
Every hole in Windows... (Score:4, Insightful)
(http://www.northarc.com/~ke6isf | Last Journal: Tuesday November 23 2004, @01:32AM)
A buffer overflow can be used to execute arbitrary code
[OT] Speaking of Parsing JPEGs... (Score:5, Funny)
(http://slashdot.org/ | Last Journal: Wednesday October 23 2002, @05:38PM)
Is there anykind of a browser plug-in I could use to deciper steganographically enhanced JPEG [linux01.gwdg.de] images that might just come over plain old unsuspicious unencrypted http?
GIFs were evil, PNG support lacked transparency, now JPEGs can cause buffer overflows - I'd say that IE has an image problem... Excuse me while I just run away now.
more interesting than you think (Score:3, Interesting)
(http://freeblog.hu/)
And that's just what happened. .NET Framework is heavily dependent on GDI+. Now you can use a managed software to hack the system.
no way to force you to open a jpeg? (Score:5, Insightful)
This has got to be one of the stupidest things MS has ever said.
It's called spam!!!
99.999% of email programs and browsers automatically "open" images for viewing
We all get spam
the image can be a logo or something nonsuspicious
embedded in the email
So you only have to read the email
to get infected
Re:no way to force you to open a jpeg? (Score:5, Informative)
(http://www.mvw.net/)
Michael
Sexy virus (Score:5, Funny)
Re:Sexy virus (Score:4, Funny)
(http://slashdot.org/ | Last Journal: Thursday January 02 2003, @02:05AM)
Sorry... (Score:5, Funny)
(http://valinor.net/)
Source Leak? (Score:3, Insightful)
(http://willdotcom.bl.../just_a_coincidence/ | Last Journal: Sunday September 05 2004, @07:19PM)
Go No Execute Bit! (Score:3, Interesting)
Wow, I mean seriously, wow (Score:5, Insightful)
Isn't it interesting that when Microsoft is fighting court cases, Internet Explorer is consider "part of the operating system". But in this case they make the distinction between products, so that this flaw is "important" for one piece and "critical" for another.
It's clear to me that Windows, Office and other related Microsoft products are simply unrepairable. And I don't buy that arguement that it's because they've got the biggest market share that these problems are made known. If that's the case, then how come Apache with over 60% of the market and millions of installations is not fraught with as many defects as Microsoft products?
Solution: Microsoft has to open source their code. It will never happen, but they've proven beyond a shadow of a doubt that they can't fix their own code.
Re:Wow, I mean seriously, wow (Score:5, Insightful)
(http://slashdot.org/)
Go compare the number of vulnerabilities in IIS6 and Apache 2, you'll be very surprised.
Re:Wow, I mean seriously, wow (Score:5, Informative)
(http://slashdot.org/)
Re:Just plain crappy (Score:4, Interesting)
(http://www.virb.com/evilangela | Last Journal: Tuesday October 30, @02:29PM)
SP2 is not affected (Score:3, Informative)
I'm sick of this (Score:3, Interesting)
(http://pitchforkmedia.com/ | Last Journal: Tuesday March 23 2004, @09:08PM)
I really wish my mom would get broadband so I could install/admin linux from here.
BC
Now I feel somewhat safer (Score:3, Insightful)
Honestly, looking at something like emails -- what does all this "meta deta" add that isn't available from plain text information content? Want a hyperlink, spell out its URL. Want some lines? Play around with hyphens. It's really not so bad, and so so much less dangerous.
Re:Fair Play (Score:5, Insightful)
(http://slashdot.org/)
If you actually knew what you're talking about, you'd know that the JPEG format is definitely not the easiest file format to support, and you'd also know that coding mistakes can happen everywhere, as witnessed daily in the open source community.
So instead of going on an unjustified rant against MS because of something that happen daily everywhere, just chill out.
My mother doesn't think so (Score:3, Funny)
The MS Bulletin (Score:3, Interesting)
How dumb can they be (Score:3, Funny)
Meanwhile, (Score:5, Funny)
On a completely and totally unrelated topic, does anybody know where I can buy lots of banner ad space in bulk?
Re:Damn It. (Score:5, Insightful)
Re:Damn It. (Score:4, Insightful)
(http://technilog.blogspot.com/ | Last Journal: Monday September 06 2004, @11:58PM)
I hope now that png, mp3, and jpg decoders have had vulnerabilities people will be a little more careful in the future.
It isn't necessarily about being careful. If people were that careful about writing all their software, software would take ages to finish writing.
And even then there would still be security flaws. I think the saying about bugs goes something like "Any non-trivial program has at least one bug." I think the same could probably be said for security vulnerabilities.
Sure, we probably shouldn't be seeing buffer overflow exploits anymore considering the amount of attention they have gotten, but it isn't necessarily worth it to go back and review all your code just to find one type of vulnerability when others will be found eventually anyway.
Re:Damn It. (Score:5, Interesting)
Your code is probably full of security holes, just like everybody's, and the fact that you think it's so simple is a clear evidence...
Look, even Knuth was so certain that his code could not possibly be bugged that he promised a prize for the persons who would find bugs. And still, some were found. And we are talking about a program that was mathematically provable, and made by the living god of computer science, damnit !
And you think that your code, which is sitting on dozens of layers speaking to each others in your back, and made with a high level language, cannot possibly have an unknow bug which could cause a security hole ?
If so, then you're a security hole yourself.
Re:Oh my god (Score:5, Funny)
(Last Journal: Wednesday January 15 2003, @02:17AM)
I was surfing porn and got herpies.
That would be soooo funny.