Public Exploit For Windows JPEG Bug

Khoo writes "A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software. Security professionals expect the release of the program to herald a new round of attacks by viruses and Trojan horses incorporating the code to circumvent security on Windows computers that have not been updated. The flaw, in the way Microsoft's software processes JPEG graphics, could allow a program to take control of a victim's computer when the user opens a JPEG file." We mentioned this earlier.

Almost...

[mirko]

Now, to convince my company's managers to switch their userbase to Firefox, I just need it to support Sso (Single sign-on), please, tell us it's coming otherwise we'll keep using this tyrabrowsaurus...

PNG too?

[cpghost]

What about the vuln. in the PNG libs? Any exploit in the wild?

Spammers

[sleepnmojo]

The biggest problem here is when spammers use this in there opt out link. This would probably be much more effective than the scrollbar hack they are using now. It just has to render the damn page, and wham you're infected.

I cannot help but grin ...

[YetAnotherName]

... when reading stories like this on my desktop computers, one of which is a Linux, the other of which is a Mac OS X ...

Sure, they're not immune from security holes, exploits of various kinds, viruses and what-not ... but I have a strong suspicion that, even if they had as wide a user base as Windows, they'd still be more secure. The level of polish and craftsmanship of open source software (recall OS X's open source roots) can never be duplicated by Microsoft's paranoid and closed-doors efforts.

Can someone confirm...

[Boss, Pointy Haired]

...because I have not seen this mentioned at all.

Is the JPEG rendering in Firefox running on Windows independent of any underlying MS library and is therefore not affected?

So what? Burn all JPEGs day?

[Advocadus Diaboli]

On November 5 1999 we had the "Burn all GIFs" day because of patent issues. Shall we announce a "Burn all JPEGs" day because of Microsoft security issues now and switch all to PNG?

Re:Almost...

[pcardno]

Is anyone working on Single Signon for the Firefox/Mozilla platform? We're stuck using IE here as well as we've integrated Netegrity's Siteminder with Windows Single Sign On into the whole Active Directory thing (i.e. sign into your Windows computer and from that IE can figure out who you are so personalises our Intranet) but I'd rather we could get over to Firefox simply cos it's faster and less buggy!

Oh, and then other people in the company wouldn't sniff at me for using it!!

Related links?

[caluml]

What's all this stuff in the related links?

. Bug whitepapers
. Best deals: Bug
. More Bug stories
. Security whitepapers
. Best deals: Security
. More Security stories
. Windows whitepapers
. Best deals: Windows
. More Windows stories
. Microsoft whitepapers
. Best deals: Microsoft

When did that start happening?

Are you patched?

[UnderAttack]

These early POC exploits are covered in todays
ISC Diary [sans.org]. Note that now there is a script to generate images to add an Admin level user (username "X").

Not too long until we see a remote shell.

Some people are tlaking about seeing it used in an MSN Messenger worm.

The hard part about patching this one is that a lot of third party software may overwrite the Windows JPEG GDI library with its own older version :-/

Re:Patch is Already Out

[Epistax]

Still, I have to wonder how they internally wrote code to let things like this happen. It seems to me you want to write your program such that if something unintentioned does happen, it is at least bound by what it can do. Execution stemming from a jpeg? Oh, come on :P

Hard to patch

[Manip]

This bug exists in most Microsoft Software. So for someone to patch they can't simply connect to Windows Update and consider themselves safe, they also have to patch Office, Visual Studio, some Microsoft Games, Server Software (misc, not covered by Update) and more.

So don't sit there on an SP2 system and consider yourself safe. There is more than likely a whole host of ActiveX controls just waiting to be called and exploited by this bug.

Also note that some applications written in Visual Basic can also be exploited.

Re:troll.

[Skye16]

Really? It loads pages faster for me. Sure, the initial start up time is worse, but...

Just because you took his comment out of context doesn't mean he's a troll. :P

Re:Almost...

[SenseiLeNoir]

This is exactly the problem I fear. All it takes is one spammer/cracker to bulk mail a hundred of pictures to random HTML accounts (Hotmail, etc).. and you can see exactly where this is going to lead.

Also those who use Firefox may not be 100% protected, because consider this scenario.

1. Install Firefox
2. Set Firefox as default browser
3. Use MSN Messenger.
4. MSN messenger pops up "you have new hotmail"
5. Click link to see new mail, MSN Messenger opens up in INTERNET EXPLORER despite setting firefox as the default browser.
6. You are owned.

I am more concerned that after this, people may even mistakenly critisize Firefox, thinking that Firefox was there default browser, and that they got infected via firefox, instead of IE.

"I set up this firefox thingie, and set it as a default browser, yet I still have a virus, by just reading my email. Firefox is just as bad as IE"

A second attack vector could be to change the mimetype of the JPEG, causing Firefox to download, then open it in the system handler for JPEGS.. and a possibility of being owned that way.

Still this may also be very good grounds for a class action against MS, as they are not honouring a users request NOT to use IE.

This all goes to prove, MS is a security hole, that can even make secure applications appear insecure

Ow, my head hurts from thinking of this.. let me get some Paracetamol.

Let me get this right...

[slot32]

M$ Release Sp2 for XP. People resist installing cause they hear it can screw things up etc so they delay installing. M$ announce a new flaw with sample code in the wild, show how every O/S they have (practically) is suseptable EXCEPT XpSp2. ...? Funny order of events no?

Re:I cannot help but grin ...

[YetAnotherName]

of which you know nothing

As a user of Microsoft products, I witness their lack of stability, their tendency to crash or exhibit bugs, and their uncanny ability of corrupting user data, and so forth. After putting up with them for so long, I know quite a bit about them.

Moreover, I used to be an employee. I worked at the Redmond campus. I know both the quality exhibited on the outside, and the quality that goes into the products on the inside.

I do indeed know something.

THIS HAS NOT BEEN FIXED, url inside

[Anonymous Coward]

http://sylvana.net/test/AP4.jpg

will crash IE on an updated xp sp2 system.

Use safe languages for libraries?

[0x0d0a]

You know, it might be worthwhile to write things like libjpeg in safe languages.

Ocaml is pretty fast, but I realize that not everyone wants the runtime. How about cyclone [harvard.edu]? It's an extended version of C that's backwards compatible with C, but can pick up unsafe errors at compile time -- sounds pretty much like what folks might want.

Re

[Anonymous Coward]

How long before some bug starts rampaging the internet because of the vulnerability in windows?

Two weeks... less?

Batton down the hatches I'd say, it won't be long before this one gets nasty.

Re:Patch is Already Out

[Cecil]

For example, getting people to use "sudo" with a limited account makes sense to you and me, but might confuse the heck out of some newbie in Tennessee.

That hasn't stopped Mac OS X from doing exactly that. You know, Apple, the guys who are all about usability to the point of having a set of UI design guidelines for all developers to abide by.

PROXY !

[nucleargeek]

Writting a proxy server that validates or blocks all JPG images going through it, is probably possible. Such a proxy can also process PNG, BMP and other vulnerable formats.This proxy could be run either at
the user level (personal protection) or at the ISP level.

Time to start a new open source project !

Re:Use safe languages for libraries?

[IamTheRealMike]

Ah, I was thinking about how useful a safe C dialect would be only the other day. If Cyclone is the real thing, then getting a GCC frontend for it up and running then convincing maintainers of important libraries to port to it (or forking) might be a great way to help out open source security.

/me goes back to reading the website

Re:Patch is Already Out

[Paulrothrock]

Well, most users are, uh, stupid.

My fiancee put it thusly:
"We've both been tested and have IQs around 140. An IQ of 100 is average, and 60 is retarded. So compared to us, even average people are retarded."

Re:Almost...

[Jucius Maximus]

"I tried to uninstall it, but it kept comming back. This is actually the more permanent solution since it keeps it's shit in the registry so windows "thinks" it up and working."

I suggest you check out a pair of wonderful little tools called StartupMonitor [mlin.net] and Startup Control Panel [mlin.net]. The former will alert you when things try to register themselves as 'auto-startup' items in the registry and give you the option to shoot them down, and the latter will allow you to unregister already existing auto-startup items in the approximately seven different places they can lurk. It is very useful for eliminating and avoiding problems like this.

Re:Almost...

[pcardno]

Sounds like our places have exactly the same issues! Our WSSO only works from your own laptop or desktop, and only if your screen saver settings are set to be passworded and turn on after 10 minutes. It's safe to say that caused a lot of arguments, particularly from people working in labs/manufacturing who run an experiment, go back to the computer, type something, go away for 5-10 minutes again, come back and so on, as they're sick of retyping their passwords.

But the thing it is succeeding in doing is making people far more aware of the security of their own computer - after all, most people use their work computers to store personal stuff, whether it's correct to or not, then disappear off to lunch for an hour. Now that we have WSSO people are far more aware of exactly what they've done when they've signed into Windows and tend to lock there computers when they walk away - a previously unheard of thing to do!!

Agreed though about the cross application SSO - it's be a godsend. We've also worked with some external companies (travel providers etc) to extend our domain/trusts to their eSolutions so that we don't have to log into the Extranet sites either...

One of the best exploit sites around

[Alejo]

For info on exploits badcoded [corest.com] Note: This is not a 0day site, it is real info for exploit writing.

He knew it...

[insac]

When I was in University there was an old professor who gave us to write relation about JPEG format with code examples...

When we were leaving his room he gave us this advice: "Beware the JPEG virus". It was 9 years ago and he was quite old and sometimes he acted/talked nonsense so we made fun of his advice (we thought: since it was not an executable file, how could it bring a virus): but he was right and we were wrong..

Re:THIS HAS NOT BEEN FIXED, url inside

[julesh]

http://sylvana.net/test/AP4.jpg

will crash IE on an updated xp sp2 system.

It also crashes a Win2K system, which is NOT AFFECTED according to the original MS announcement.

Re:Related links?

[Anonymous Coward]

Aye, but where do we go? Is there a site that's like the old slashdot (no, not kuro5hin)? Or is slashdot such a monopoly they can get away with sloppy work? Hmm, where have I heard that before...?

Start of Scan (SOS) block

[Shmibbon]

This has something to do with the Start of Scan (SOS) block. From here [funducode.com]:

SOS (Start Of Scan) marker:

Marker Identifier [2 bytes]
_0xff, 0xda identify SOS marker

Length [2 bytes]
_This must be equal to 6+2*(number of components in scan).

Number of Components in scan [1 byte]
_This must be from 1 to 4 (otherwise error), usually 1 or 3

Each component [2 bytes]
_For each component, read 2 bytes. It contains:
__Component ID [1 byte]
___1=Y, 2=Cb, 3=Cr, 4=I, 5=Q
__Huffman table to use [1 byte]
___bit 0..3 : AC table (0..3)
___bit 4..7 : DC table (0..3)

Ignorable Bytes [3 bytes]
_We have to skip 3 bytes.

Important part is in bold.

On that site are 3 important images: AlexPaul2, AP3, and AP4. All 3 display correctly in Firefox, IrfanView, and Windows Picture and Fax Viewer. The only problem seems to be with IE.

With IE:
AlexPaul2 - correct
AP3 - hues are wrong, red and blue appear to be switched
AP4 - CRASH

All of these use 3 components in the scan, so there are 6 bytes total for that portion of the SOS block.

AlexPaul2: 0100 0211 0311
AP3: 0100 0311 0211
AP4: 0311 0211 0100

I have tried switching the order of these to each other and the problem absolutely stems from here.
AP4 to AP3: 0100 0311 0211 - there is a red/blue hue difference between most programs and IE.
AP4 to AP2: 0100 0211 0311 - there is no difference between the programs and IE.
AP3 to AP4: 0311 0211 0100 - IE CRASH!
AP3 to AP2: 0100 0211 0311 - there is no difference, but the red/blue hue switch appears in BOTH normal programs and IE. In other words, AP3 appears the same in IE with both settings.

This last result makes me think IE is somehow trying to re-order these in ascending Component ID order, and this causes the errors.

One thing the JFIF document I found doesn't mention is that the order of these components matters. Changing the order always makes the jpeg appear different (sort of like a newspaper comic with the inks misaligned) in non-IE programs. If anyone knows more about this, please respond.