First JPEG Virus Posted To Usenet 694
Shawn writes "This could possibly be the worst viruses yet! Earlier this month Microsoft announced a problem in their GDI driver that processes the way JPEG images are displayed. Someone has finally posted an exploit to Usenet. Easynews, a premium Usenet provider, found the virus Sunday afternoon. Up-to-date information about how we found it and what it does is located at www.easynews.com/virus.txt. When this picture is viewed it installs remote management software (winvnc and radmin) and will connect to irc."
That's pretty amazing. (Score:3, Funny)
The worst part is that you don't even need to be using IE. Hopefully mozilla decodes the jpgs itself before rendering them on windows.
Re:That's pretty amazing. (Score:3, Informative)
Re:That's pretty amazing. (Score:5, Informative)
It does. But Mozilla had almost the exact same problem with both BMP and PNG in the last week or two. So it's not just Microsoft who has vulnerable image decoders.
Re:That's pretty amazing. (Score:5, Insightful)
Which was, "However it is no longer safe to turn on your computer."
Quality freefall.
Really, how much new useful functionality has MS provided in the last 5 years? It takes just as long to load apps now as it did 10 years ago, even though machines are 10 times faster with 100 times more memory. Functionality increases at best in a linear fashion, while system requirements increase at a geometric rate. Software eats more of your computer and offers less in return.
Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.
Maybe they should shut down for a year. Take all the gigabyte-gobbling shit they've written for the last 10 years and turn it into useful code with no new functionality. Returning with the same stuff they have now, but with little or no security issues would win them more customers than their current monopolistic policies and FUD spreading ever will.
Really, what else could they possibly do besides introduce a bunch of bloated new technologies for doing the same damn thing we all wrote for ourselves years ago, but without all the MS lock in and huge learning curve?
I have to ask, what has MS done that is actually useful since Windows 2000?
Re:That's pretty amazing. (Score:5, Insightful)
I'm glad I'm not the only one who noticed this. btw cpu's are way faster than 10x faster. In 1994 I could only afford a 386sx at 16Mhz. Not only is the clock speed faster but the chip has gone through several major revisions. Yet I think that 386sx booted up faster and ran Lotus and Wordperfect under DOS just as fast as anything out there on Windows today. Of course there are some advantages to windows but speed sure isn't one of them!
Re:That's pretty amazing. (Score:5, Interesting)
Now here's a case where the MS software really was well-designed and easy to use (from a UI standpoint), but the grotesque slowness of the app killed it for me.
In 1994, I had a 50MHz 486SX... I didn't buy a Pentium 100 until '96, so you're right. Clock speed is more like 40 - 60 times faster (and thanks to wonders of CISC, performance is more than that). And disk space has increased for me by 3 orders of magnitude.
I seem to recall MicroCenter or CompUSA having a "Buck-a-Meg" sale and I bought a 340MB drive for $340, bringing my total to a whopping 580MB. Now I've got about 600GB over about 4 machines, maybe more since each box is crammed full of old drives ranging from 7GB to 250GB etc in addition to a few bigger drives.
I used to hate how my Amiga took like 3 minutes to boot back in the late 80's. Windows 2000 on a machine that was 100 times faster took around the same time. XP is much better, but still, there are times when I have a lot of apps loaded and it just seems to go out to lunch for several seconds before anything responds. And don't get me started on the launch time for Word 2003...
Re:That's pretty amazing. (Score:5, Funny)
You mean, apart from the sanitation, the medicine, education, wine, public order, irrigation, roads, a fresh water system, and public health?
Oh, wait - that was the Romans
Re:That's pretty amazing. (Score:4, Funny)
Re:That's pretty amazing. (Score:5, Informative)
Sorry, that won't work.
Some of the stuff is insecure by design!. Not "designed to be insecure", just "impossible to secure given the design".
Take ActiveX: running binary code downloaded from a anywhere without a JVM-like sandbox is insecure. Not matter how many digital signatures, OK dialog boxes and warnig messages you add, some (most?) users WILL simply click through all the warnings and have their boxes 0wn3d.
Design has tradeoffs between security, performance, usability etc. etc. Some of this stuff you can't fix without changing the basic design (i.e. starting from scratch)
Re:That's pretty amazing. (Score:5, Insightful)
It's related.
There is an arrogance that Microsoft knows best that is implicit in that statement. Whether or not it is actually safe to turn off the computer is very much outside of Microsoft's knowledge. In fact the safest thing to do when a system is acting bonkers is to hit reset or the power switch on old computers or pulling the power plug or removing the battery on new compouter where the power switch is no longer functional. The reasoning goes that when the system has its brains scrambled it desperately wants to write those scrambled brains to disk and thus perpetuate the scramble.
Remember when MS supposedly shut down for a month to work on security issues? That was about 4 years ago. Not only did the problems not go away, but the occurance of gaping new exploits increased significantly.
One whole month, Well golly gee! Actually one month would be enough to stop hiding stuff and never under any circumstance use or require scripts or ActiveX controls for anything remotely related to security.
[x] Hide files extension for known file types.
That by itself is enough to wreck any attempts at achieving security. The message is loud and clear. Linux worms never seem to get anywhere. People see them and react violently to anything sneaking around trying to be invisible.
Task Manager doesn't show everything. Microsoft Windows comes with a pre-installed root kit!
Re:bug month (Score:5, Insightful)
"Quality freefall"? Not really. They've always produced third tier code.
I dunno. NT 3.51 always seemed to be rock-frickin'-solid, but then I didn't use it for long before NT 4 came out.
Of course, Windows 95 was stillborn and they kept pumping the corpse full of formaldehyde for 5 years for they finally let it rot in peace, but the NT branch was really good until they started making every app they wrote effectively part of the core OS.
Remember when NT ran on 4 different processor architectures and Win32 was just one API on top of the kernel in addition to Posix and OS/2? Now that IE and WMP are practically part of the kernel it seems so long ago, and yet, in a sense, it was far more advanced because it was modular enough and clean enough to be ported.
Re:That's pretty amazing. (Score:5, Informative)
Critical Mozilla, Thunderbird Vulnerabilities [slashdot.org]
CERT Warns Of Multiple Vulnerabilities In Libpng [slashdot.org]
Just begging to be sued (Score:4, Interesting)
Re:Just begging to be sued (Score:4, Informative)
Re:Just begging to be sued (Score:4, Funny)
Damn Jay Peg with his viruses..
Re:Just begging to be sued (Score:5, Informative)
Re:Just begging to be sued (Score:5, Insightful)
coughcoughpatriotactcoughcough
Re:Just begging to be sued (Score:3, Insightful)
Can be prevented... (Score:5, Informative)
Re:Can be prevented... (Score:5, Informative)
Re:Can be prevented... (Score:5, Informative)
Re:Can be prevented... (Score:3, Funny)
Sorry, couldn't resist that one.
Re:Can be prevented... (Score:5, Informative)
Say your using app X that uses GDI+ to render its own image stuff (say its a picture album maker). It keeps its own version of GDI+ that the developers extended for their own reasons. This GDI+ is vonerable. After patching this older version of GDI+ is still on your system so that app is vonerable...
So buyer beware.
Re:Can be prevented... (Score:4, Informative)
> only fixed the system's instance of GDI+
while we're bursting bubbles, the patch from microsoft contains a tool that scans your hard disk for all vulnerable gdi dlls.
Re:Can be prevented... (Score:5, Informative)
Another bubble bites the dust! It detects, but does not fix the problem. Nor does it even tell you where the problem is. This was covered earlier today [slashdot.org].
Re:Can be prevented... (Score:3, Interesting)
Most people update their system via windowsupdate.microsoft.com . However, despite the rumors, Windowsupdate does NOT update your MS Office suite.
Very few people go the extrastep to use the MS office updater.
The real question... (Score:3, Interesting)
The answer is... (Score:5, Informative)
See this [slashdot.org] Slashdot thread.
- Leo
Re:The answer is... (Score:4, Informative)
Must hit "Preview" to check those links, not "Submit"...
- Leo
Well... (Score:4, Funny)
"This could possibly be the worst viruses yet!"
Hm...maybe when he started typing there was only one and it spread during the sentence?
Nothing's safe anymore (Score:4, Funny)
Re:Nothing's safe anymore (Score:5, Funny)
Drat!!!
Fantastic (Score:3, Insightful)
The only reason we need security for this crap is because the viruses exist. Which means that we only have security when the need arises. If the vulnerability exists but is never exploited, it tends to sit open and unpatched. As soon as this pops up, we see vendors frantically patching systems.
I usually call it like I see it - which means defending the bad guys when they deserve it. But in this case, there's no doubt that open source has major advantages. The vulnerability has been identified, people are complaining that it's not being fixed... I bet it takes a virus to get MS (and others) moving to fix it.
I don't see why this is a problem (Score:5, Insightful)
Re:I don't see why this is a problem (Score:5, Informative)
I hate to break it to you but normal people don't know or care about things like that.
.
Re:I don't see why this is a problem (Score:5, Insightful)
Until Microsoft stops shipping the OS wide-open for anyone to do anything they want, these kind of attacks will continue. Apple's gotten it much more right in this regard - even as a Mac user I don't think Mac OS X is particularly more secure then any other *nix or even Windows (just less analyzed), but at least Apple doesn't ship with any services turned on or allow admin users willy-nilly access over the entire system (most admin settings and files require password confirmation before continuing - not foolproof by any means but a huge step in the right direction), as do most good Unices these days.
But of course not Windows.
Re:I don't see why this is a problem (Score:5, Interesting)
At the risk of being kicked off Slashdot for being a devil's advocate...
Why shouldn't I be able to run as an administrator on my own machine? It's my computer... I paid for it... I'm the only one using it. If the system is insecure, isn't that the system's fault? Am I to be blamed for operating my computer in a fashion that (*gasp*) allows me to make changes to it when I want without it bitching to me any further?
Think bigger. Think to the future. "Don't log in as root/Don't be an administrator." is NOT an answer. Mac OS 9 and below operated by default in a single-user mode without *any* authentication necessary to make changes and I can list the successful viruses/exploits (especially remote exploits) by hand on a single sheet of paper.
Artificial permission models (where "artificial" means "not needed by the environment") are not panaceas and aren't excuses for poor OS design.
Re:I don't see why this is a problem (Score:3, Insightful)
Re:I don't see why this is a problem (Score:5, Informative)
It can still do anything the user can do, including installing itself in the user's account space, setting itself to run every time the user logs on, uploading all of the files the user can access, logging the user's keystrokes, sending email, pinging for other systems, etc. Running as a non-administrator is not a panacea.
Re:I don't see why this is a problem (Score:5, Insightful)
I find it incredible that reputable developers like ID software for example require the latest demo of Doom 3 to be *installed* AND *run* as an administrator. The demo readme states this explicitely.
Yes I do know about "Run As" but what are these people thinking? Administrator is for administrative tasks, not for playing games.
No wonder XP is such a debacle area security wise.
Re:I don't see why this is a problem (Score:5, Informative)
At work, however, is a different story. I do have domain access, but I never log in as the domain admin unless I need to do some administration. I did, however, grant myself local admin rights on my machine for the same reasons above. I don't have a problem with spyware, adware, viruses, or anything.
Re:I don't see why this is a problem (Score:4, Insightful)
We generally run Linux in my house, but my six year old daughter has a couple of computer games, and one of our machines is dual-boot; pretty much all that that copy of Windows is used for is her games. Guess what? The games only work if I make my six year old an administrator. The reason is that the games were written in the Windows 95 era; they want to do direct access to everything, and that takes privileges that a non-admin Windows XP user does not have.
This kind of thing is common, and it forces a lot of people to run with elevated privilege. This is the price of legacy. Of course, Microsoft could have provided some mechanism to run the older programs without privilege (say, with some kind of virtual machine setup), but they probably figured that if they didn't do the work, it would be easier to sell new XP versions of all the apps.
Re:I don't see why this is a problem (Score:4, Informative)
As a producer of children computer games, I have encountered those problems. Most are solved by a couple of registry/security policy edits. Try enabling 'Restrict CD-ROM Access to locally logged-on user only' in Local Security Policy (found in administrative tools). That should cure a lot of them.
Careful assignment of permissions to ceratin files/directories would probably take care of others. Check out www.sysinternals.com for tools which can help you track down what the program is trying to open and what it fails to do.
Re:I don't see why this is a problem (Score:3, Interesting)
i manage systems with limited user accounts perfectly fine. just about all software works aswell, office apps, multimedia, games, communications - it's not as bad as people make out. stuff that doesn't work - people don't get to play! (evil grin ;) also be sure to complain to the makers, it's the only way to improve this.
clamav and nav detect it (Score:5, Informative)
possibleVirus.jpg: Exploit.JPEG.Comment FOUND
----------- SCAN SUMMARY -----------
Known viruses: 24607
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
I/O buffer size: 131072 bytes
Time: 0.501 sec (0 m 0 s)
also updated nav corp 8 with latest defs (9/27/04) and it found it. AVG free edition doesnt as of yet.
Imagine for a moment.... (Score:5, Interesting)
Screenshots... (Score:5, Funny)
alt.binaries.erotica.beanie-babies (Score:5, Funny)
Re:alt.binaries.erotica.beanie-babies (Score:4, Funny)
Re:alt.binaries.erotica.beanie-babies (Score:5, Funny)
Those were the days. Anyone go to Level 17 on gopher?
Eek! (Score:4, Funny)
These could be the worst grammar too!!!
Not particularly well coded (Score:5, Interesting)
Re:Not particularly well coded (Score:3, Interesting)
I saw one post indicating that the anti-virus tools can pick it up, but can they do so when you visit a website? My guess is no, and as such the majority of people who don't update their systems regularly (most people) have a pretty high likelihood of coming across such a site sooner
Re:Not particularly well coded (Score:5, Insightful)
How do they reencode? (Score:4, Interesting)
That brings to mind the question of if the reader on the server is using a standard library that might have buffer exploits, so that you could alter the server to start feeding out PNG's with viruses (assuming a similar attack could be found in the PNG reader in windows, not sure if that's true or not).
Even more evil ... (Score:4, Funny)
Re:Even more evil ... (Score:3, Insightful)
WAV files (Score:4, Interesting)
Real Player and that piece of crap spyware that Dell calls a media player just blithely tried to open the file without performing any integrity checks whatsoever, and damn near crashed the system.
I bet this sort of thing is a helluva lot more endemic than people realize.
DOS it now? (Score:3, Interesting)
apparently, the text indicates, that's the only source for the installed files.
if say, 500 of us were to log into that and stay connected, would we stop the virus? would there be any risk to ourselves? (giving your IP away for a start).
The joys of keeping a campus virus-free (Score:5, Interesting)
Our university campus has a huge problem with viruses and this is another exciting addition to our collection. I'm sure I'll start seeing on plenty of guy's asking for help getting this removed, after finding out pornstars aren't virus free after all.
Thankfully, though, this shouldn't cause as much trouble as our current crop of worms. I'm shocked at how dumb our users are, as a whole. We're still having people infected with blaster, over a year after Microsoft patched that vulnerability! Sasser is absolutely rampant. The school even purchased a blanket liscence of Norton, but I would bet less than half of the students have installed it. We have a T3 line providing our outside connection, and it's currently averaging about 7 Mbps combined up/down, because the internal network, which is mostly linked from buidling to building by gigabit fiber, is saturated by virus crap. Although this virus may have a really effective way of spreading, it scares me very little.
Re:The joys of keeping a campus virus-free (Score:3, Interesting)
Limited Accounts? (Score:4, Interesting)
Re:Limited Accounts? (Score:4, Informative)
Microsoft Patch (Score:5, Informative)
NX Protection? (Score:5, Interesting)
Re:NX Protection? (Score:5, Informative)
Sex! (Score:5, Funny)
Lament from an old-timer (Score:5, Interesting)
In retrospect I don't know why we thought such a thing was impossible for so long? After all, buffer overflows or other coding problems can result in malicious code executing. I guess what we didn't expect "back then" was that computers primarily engaged in networking activities would be running vital parsers - HTML, ActiveX, images etc - within the operating system itself, with administrator level privileges.
Wouldn't it make sense to limit the scope of any kind of modular parser/crypto using privilege isolation, so that even if malicious code starts running it is utterly incapable of affecting anything else?
i.e. shouldn't all such modules - crypto, image, parser run within some kind of privilege jails and communicate with the involved application using something like a socket? Hell, couldn't Windows do just that and wrap it up so API users don't notice? What am I missing here? I'm not picking on Windows here, same thing could be done on *NIX.
Crappy MS "GDI Detection Tool" (Score:3, Interesting)
This'll be good for catching downloaders . . . (Score:3, Interesting)
Re:This'll be good for catching downloaders . . . (Score:4, Insightful)
Is it named yet? (Score:3, Funny)
Hacked CNN Advertisments (Score:5, Insightful)
Millions of instant zombies.
Thats f*cking scarry....
Re:Hacked CNN Advertisments (Score:4, Informative)
The tech note at MS tells all (Score:3, Informative)
TechNet Home Security Microsoft Security Bulletin MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987) Issued: September 14, 2004 Updated: September 21, 2004 Version: 1.2 Summary Who should read this document: Customers who use any of the affected operating systems, affected software programs, or affected components. Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None Caveats: If you have installed any of the affected programs or affected components listed in this bulletin, you should install the required security update for each of the affected programs or affected components. This may require the installation of multiple security updates. See the FAQ section of this bulletin for more information. Tested Software and Security Update Download Locations:
Affected Software:
Microsoft Windows XP and Microsoft Windows XP Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Service Pack 1 - Download the update (KB833987) Microsoft Windows XP 64-Bit Edition Version 2003 - Download the update (KB833987) Microsoft Windows Server(TM) 2003 - Download the update (KB833987) Microsoft Windows Server 2003 64-Bit Edition - Download the update (KB833987) Microsoft Office XP Service Pack 3 - Download the update (KB832332) Microsoft Office XP Service Pack 2 - Download the administrative update (KB832332) Microsoft Office XP Software: Outlook® 2002 Word 2002 Excel 2002 PowerPoint® 2002 FrontPage® 2002 Publisher 2002 Access 2002 Microsoft Office 2003 Software: Outlook® 2003 Word 2003 Excel 2003 PowerPoint® 2003 FrontPage® 2003 Publisher 2003 Access 2003 InfoPath(TM) 2003 OneNote(TM) 2003 Microsoft Project 2002 (all versions) and Microsoft Project 2002 Service Pack 1 (all versions) - Download the update (KB831931) Microsoft Project 2003 (all versions) - Download the update (KB838344) Microsoft Visio 2002 Service Pack 1 (all versions) and Microsoft Visio 2002 Service Pack 2 (all versions) - Download the update (KB831932) Microsoft Visio 2003 (all versions) - Download the update (KB838345) Microsoft Visual Studio .NET 2002 - Download the update (KB830348)
Microsoft Visual Studio .NET 2002 Software:
Visual Basic .NET Standard 2002
Visual C# .NET Standard 2002
Visual C++ .NET Standard 2002
Microsoft Visual Studio .NET 2003 - Download the update (KB830348)
Microsoft Visual Studio .NET 2003 Software:
Visual Basic .NET Standard 2003
Visual C# .NET Standard 2003
Visual C++ .NET Standard 2003
Visual J# .NET Standard 2003
The Microsoft .NET Framework version 1.0 SDK Service Pack 2 - Download the update (KB867461)
Microsoft Picture It!® 2002 (all versions) - Download the update
Microsoft Greetings 2002 - Download the update
Microsoft Picture It! version 7.0 (all versions) - Download the update
Microsoft Digital Image Pro version 7.0 - Download the update
Microsoft Picture It! version 9 (all versions, including Picture It! Library) - Download the update
Microsoft Digital Image Pro version 9 - Download the update
Microsoft Digital Image Suite version 9 - Download the update
Microsoft Producer for Microsoft Office PowerPoint (all versions)
Microsoft Platform SDK Redistributable: GDI+ - Download the update
Office Users Note Office XP Service Pack 2 and Office XP Service Pack 3 are both vulnerable to this issue. However the security update for Office XP Service Pack 2 is only provided as part of the Office XP administrative security update. For more information, see the Security Update Information section. Office
ANSI Bombs (Score:3, Interesting)
Re:Anyone have a working copy? (Score:5, Informative)
Re:Anyone have a working copy? (Score:3, Funny)
Re:Anyone have a working copy? (Score:5, Informative)
Got the link from bugtraq a few hours ago.
Re:Anyone have a working copy? (Score:5, Informative)
Re:Anyone have a working copy? (Score:5, Funny)
Re:Anyone have a working copy? (Score:4, Funny)
God dammit! (Score:5, Funny)
Re:God dammit! (Score:3, Funny)
(yes, I know you're being silly, but what the hell :))
Re:Anyone have a working copy? (Score:5, Funny)
Just one more reason Linux isn't ready for the desktop.
Re:Anyone have a working copy? (Score:5, Funny)
Windows Users have all the fun!
Re:Anyone have a working copy? (Score:4, Informative)
In all seriousness, I downloaded an example of an Evil JPEG to my Linux computer and tried opening it up in various programs.
So, after five minutes of extremely unprofessional research and wild conjectures, I'd say it looks like the stories are true: some Linux programs may be vulnerable too. Yikes!
mind you, who would ever write an exploit that would only spread to five percent of the computers in the world? ;-)
Re:Anyone have a working copy? (Score:4, Funny)
app not working != app vulnerable to virus (Score:5, Insightful)
* Eye of Gnome seemed to work okay, but I got all sorts of weird redraw problems when I tried to resize the window.
* Gimp (2.1) says the JPEG is unsupported and couldn't be imported by the filter, then segfaults.
* Konqueror seems to work okay, but just shows a tall black rectangle, and its spinner is still chugging away, as if it's still busy loading something.
* Firefox 0.9.3 has no troubles at all; it just shows a nice white rectangle on a white background
These programs are not vulnerable to the the exploit in the same way that Windows machines are vulnerable. In fact, the issues you saw appear to be in no way related to the intended result of the virus. GIMP's segfault seems to be the most serious of these, and it is still a minor problem. I believe all of your results can be achieved by opening a mangled/corrupted
Nutshell: One cannot conclude that graphics-related processes/apps on Linux machines are vulnerable to this virus.
PS Conclusions posited based on "unprofessional research and wild conjectures" are likely to cause much more harm than good. Is this really necessary? (not a flame - just an observation)
Re:app not working != app vulnerable to virus (Score:5, Insightful)
Certainly Gimp's segfault points to some sort of bounds-checking problem, and is likely exploitable. NO application should load this image for display. Bounds checking during load should throw an exception (or the equivalent error status for C) for the image and the application should report that the image is corrupt. Under no circumstances should a low-level library be handing this image data further up the chain.
Re:Anyone have a working copy? (Score:4, Interesting)
Simple answer: no, and that's why buffer overflow attacks work.
Yeah, I've been waiting for years to hear about the first image-based attacks for Linux. I was kind of surprised that the first exploits arrived for Windows instead of Linux, just because we've known about several holes in Linux over the years (look at the changelog for any image processing library). The down-side is that you can't always "root the box" based on an image attack because a user will be running the browser, but I would think that access to the machine is enough for most zombification and you can always go after local exploits to get root at that point.
Linux needs a good suite of exploitive data (that doesn't do anything) for projects to test against. Perhaps I'll work on that in my spare time (every format and protocol has many spots where it would be easy for a lazy programmer to do static allocation and then fail to bounds-checks, so you just write code/generate data that exploits each one of these places. I've done this for specific proprietary applications before.
Re:Anyone have a working copy? (Score:5, Informative)
Graphic Converter complains that "Some parts of the file may be missing."
Safari displays a blank page, with no errors.
In all cases, I can't find any file-system goofiness. (And the free-with-DotMac Virex doesn't detect it as a virus.)
(The offending "virus" is available as a linked-to zip file in the linked virus.txt page.)
Re:Anyone have a working copy? (Score:5, Interesting)
Absolutely nothing. The file is only 8KB in size, and doesn't appear to contain any actual image data. Loading it up in GraphicConverter v4.9 over here (and Preview, and a number of other tools) just reports that the image file is corrupt.
Yaz.
Anyone think it's interesting... (Score:4, Interesting)
Apple really has come a long way around here, eh?
Re:Anyone think it's interesting... (Score:5, Interesting)
For the record, I bought my first Mac (a 12" PowerBook G4) this past spring based in significant part on all the good things I had read about Apple's latest offerings here on /. .
Yaz.
Re:Goatse (Score:3, Funny)
Re:Goatse (Score:3, Funny)
Re:Stop downloading porn? (Score:4, Funny)
Re:how and what (Score:5, Informative)
Jesus, an obvious end user asks a perfectly legitimate question and you call him an idiot for being surprised by the notion of a hostile JPEG- something that should rightfully amaze everybody. I doubt he understood your high level description. To the grandparent: here is a meandering crappy description of how a buffer overflow attack works:
A function call, in C, pushes the current program counter on the stack. Then it pushes the arguments onto the stack, and control jumps to the function which pops the arguments off the stack and does whatever with them. At the end it invokes a RET instruction that pops the program counter back off the stack and control jumps to the address there (to the point right after the CALL). These are just normal C calling conventions.
Variables defined in the function are stored on the stack. If a string like a URL (for example) needs to be defined, a buffer is allocated for it there. When the function returns, the space is automatically deallocated, the RET pops the program counter off the stack, and the function call returns. By default no bounds checking is done on data stored in these buffers. Some library functions, like gets(), don't do bounds checking. They can't, since they don't know the buffer size and would need to have it provided as an argument. Newer, safer versions exist that do take buffer size arguments, but that means these aren't the same library functions anymore. (FWIW the gets() call takes a pointer to a buffer of unknown size as an argument, reads a newlined string from stdin into the buffer, and returns the buffer pointer that was passed to it.)
It's up to the programmer to do bounds checking if he uses library calls vulnerable in this way. But this is extra work, and people are lazy. It's easier to just allocate a big, big buffer that's probably larger than you'll ever need, that "no reasonable URL" will ever exceed. So the programmer allocates a fixed 10K buffer on the stack and passes its address to a library function like gets().
The attacker gains control in these situations by creating a program input like a long, carefully crafted URL, slightly longer than 10K, that overflows the buffer inside the library function. The goal is to overwrite the return address on the stack with an address that's within the buffer. In the case of the Code Red worm, someone meticulously put together a URL that attacked an obscure ISAPI routine, and not only overwrote the return address, but also had machine code instructions waiting at the replacement address within the buffer- encoded right into the damn URL! (The buffer has been deallocated at this point, but hasn't been zeroed, so it's still there.)
It's harder to explain with a JPEG than with a URL. But a JPEG contains variable length data structures that are read into buffers on the stack. Someone writing the JPEG decoder forgot to do a bounds check- and so a mundane function for decoding JPEGs never returns. Instead it jumps into an endless loop that's been placed within the image buffer by the attacker.
So yes it is a bit like running an
Older versions of Notepad gagged on files larger than 64K, which seems suspicious. It's theoretically possible that a vulnerability could exist even in a text editor like Notepad allowing a carefully constructed
Re:how and what (Score:5, Informative)
So you see what happened. The unchecked library call in this case was memcpy(). The decoder trusts its input and sends a small signed integer (-2) off to memcpy() without checking the sign bit- and memcpy() thinks -2 is a huge unsigned integer (4294967294). What's the difference? Any reasonable number is going to be positive anyway, right? Who would give a comment a negative length!
I saw someone make this kind of goof even in Java, where you have signed-only types forced on you. Someone forgot that InputStream.read() returns an unsigned byte as an int (between 0-255), and they cast it to a signed byte and back without the &0xFF to zero out the 24 high bits. That got caught right before our product release. The consequence in that case would have been a hash algorithm with inconsistent output between stream and byte array inputs- not a security nightmare like this, but a long lasting migraine nevertheless.