Re: Windows XP JPEG Buffer Overflow

[jklemenc () fnal gov]

Why is it that the GDI+ dll was fixed for PictureIT back it February '04? 
If you pull down all the patches, the PictureIT patches date to 02/26/04 
and the XP SP1 patch dates to 03/02/04? Then add to it XPSP2 is already 
patched. Did MS sit on this patch until there was an exploit available in 
the wild (or at least POC)? 

<SPECULATION>
My take on this is that someone was either writing their own JPG editor 
-OR- was using some 3rd party image editor and was adding comments to the 
image file. Their action of writing the comments field incorrectly (with 
an unprintable character at the start of the comment) either via their 
custom application -OR- via some 3rd party app triggered an application 
crash when viewing with PictureIT (or maybe PictureIT was the software 
used to create the comments). This was probably reported to MS as a 
PictureIT bug, which was patched in PictureIT. It was probably ported to 
the other GDI+ applications/OS's, but never rolled out (probably waiting 
to be rolled silently into a service pack as it was with XPSP2). Once POC 
code got out, they had to pull the trigger on releasing a patch. That 
would account for the numerous duplicate patches listed in the KB article. 
It you look, the gdiplus.dll is the same size/date/version for Office 
2003, Visio 2003 & Project 2003, as are others in like groups, except 
there are seperate downloads for each. This seems to indicate that the 
offending file was fixed a while back, but was sitting dormant for each 
product until an update was issued seperately. MS could have easily rolled 
up like patchsets to detect and update all of their products, such as in 
the past.
</SPECULATION>

How many other patches are in this state that will only be released once 
someone goes public with POC code?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html