Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability

[KF_lists <kf_lists () secnetops com>]

<sarcasm>
Um yeah... I am gonna trust vmyths.com to understand how buffer 
overflows work... and I will hold their word as gold in regards to 
potential exploitability.

RIiiiiiiiiiight.

Thats just such a shame that Guninskis efforts are so fruitless.
</sarcasm>
-KF


Rob Rosenberger wrote:
> Vmyths.com Virus Hysteria Alert
> Truth About Computer Security Hysteria
> {15 September 2004, 01:55 CT}
>
> CATEGORIES: (1) Misconceptions about a real computer security threat
>             (2) A historical perspective on recent hysteria
>
> Microsoft has issued a "critical" alert regarding a "buffer overrun" in software it uses to display JPEG images.  In 
> theory, if you try to view a specially crafted JPEG file, it could take over your computer and do whatever it wishes.  Microsoft has 
> released a security patch to fix this buffer overrun.  Vmyths urges you to download the patch, install it, and get on with your life.
>
>    Buffer Overrun in JPEG Processing Could Allow Code Execution:
>       http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
>
> Vmyths believes media outlets will POUNCE on this story, because (a) Microsoft announced a "critical" vulnerability in the way its software 
> reads an ubiquitous file type, and (b) computer emergency response teams have issued their own alerts.  Watch for breathless speculation and hysteria 
> in the coming days.  Some naïve system administrators may tell reporters they'll delete JPEG files from emails and refuse to let web browsers 
> display JPEG files, "strictly as a precaution."  (We don't expect anyone will implement this Draconian measure for very long.  We 
> believe too many users will clamor against it.)
>
>    Remember this when virus hysteria strikes:
>       http://Vmyths.com/resource.cfm?id=31&page=1
>
> Microsoft's "JPEG Processor" vulnerability manifests itself as a buffer overrun in a piece of software.  It is NOT caused by 
> the JPEG file format itself.  Buffer overruns are extremely common: you'll find them in almost every large software application (even 
> antivirus software).  They can create situations where even a filename itself can wreak havoc.  By definition, every buffer overrun will 
> eventually join its brothers in the land of obscurity.
>
>    Buffer overruns in antivirus software:
>       http://zdnet.com.com/2100-11-515441.html
>
> The "Code Red" worms successfully exploited a buffer overrun in 2001, and Vmyths believes some reporters will allude to this -- as if to imply a 
> horrific JPEG attack may be just around the corner.  Buffer overruns are extremely common, yet they only rarely ever get exploited.  Researcher Georgi 
> Guninski, for example, publishes "proof of concept" exploits for many of the "critical" buffer overruns he finds.  Guninski's 
> exploits have never made a splash despite his best efforts.
>
>
> A little history -- this isn't the first time an image file format has come under fire.  An April Fool's joke targeted 
> JPEG files a decade ago:
>
>    1994 April Fool "JPEG virus" alert:
>       http://www.2meta.com/april-fools/1994/JPEG-Virus.html
>
> In 2001, researchers claimed a specially crafted GIF file could be used to cause a buffer overrun in Microsoft Outlook. 
>  It was purely a coincidence that a GIF file could exploit this threat.
>
> In 2002, the "Perrun" virus added software to the computers it infected, then it modified the Windows registry so future viruses could 
> "ride" inside a JPEG file.  The virus writer could have chosen to do the same thing with GIF files or even TEXT files.  Antivirus vendor 
> Sophos urged restraint over the Perrun virus, saying "some anti-virus vendors may be tempted to predict the end of the world as we know it, or 
> warn of an impending era when all graphic files should be treated with suspicion.  Such experts should be ashamed of themselves."
>
>    McAfee gets slapped in 2002 for "JPEG virus" alert:
>       http://www.sophos.com/virusinfo/articles/perrun.html
>
>
> Vmyths suspects a hoax virus alert will arise with instructions to delete the JPEG registered file type in Windows.  (It's 
> practically a self-fulfilling prophesy.)  Such a hoax will play on the user's misconception of the threat.  Don't take 
> unsolicited advice from people who are NOT experts.  Users will self-damage their operating systems if they delete the JPEG registered 
> file type.
>
>    False Authority Syndrome
>       http://Vmyths.com/fas/fas1.cfm
>
> Stay calm.  Stay reasoned.  And stay tuned to Vmyths.
>
> Rob Rosenberger, editor
> http://Vmyths.com
> Rob () Vmyths com
> (319) 646-2800
>
> Acknowledgements:
>    Phone call from Kevin Poulsen, SecurityFocus
>
> CATEGORIES: (1) Misconceptions about a real computer security threat
>             (2) A historical perspective on recent hysteria
>
> --------------- Useful links ------------------
>
> Common clichés in the antivirus world
> http://Vmyths.com/resource.cfm?id=22&page=1
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html