Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability

From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 15 Sep 2004 16:34:32 -0400
Rob Rosenberger wrote:


Vmyths.com Virus Hysteria Alert
Truth About Computer Security Hysteria
{15 September 2004, 01:55 CT}

CATEGORIES: (1) Misconceptions about a real computer security threat
           (2) A historical perspective on recent hysteria

Microsoft has issued a "critical" alert regarding a "buffer overrun" in software it uses to display JPEG images.  In 
theory, if you try to view a specially crafted JPEG file, it could take over your computer and do whatever it wishes.  Microsoft has 
released a security patch to fix this buffer overrun.  Vmyths urges you to download the patch, install it, and get on with your life.

  Buffer Overrun in JPEG Processing Could Allow Code Execution:
     http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx


Why did this need a Vmyths advisory?
So far, I haven't read any disinformation in the media regarding this. A virus can actually be embedded in the file with this vulnerability (or, any program, really) and the vulnerable programs really can be exploited using the jpeg files. I don't think this is at all comparible to an april fools joke or a steganography-using malware implementation -- they're completely different than this.
If you want a prediction, my experience would indicate that this is more likely to be utilized than it is to not be utilized. Perhaps not in mass-use by attackers, but I would predict that we're probably going to see one or two, at least, adware/spyware distributors using this. It's the kind of hole that they love. So, yeah, patch away - as usual.
I think that what people should take away from this is that files are input and programs shouldn't just explicitely trust input -- but they often do, or their trust controls are circumvented, and bad nasty files can do damage. So the moral of the story is: be careful who you get your software from, because you have to load files which means that the vendor that trusts the input the least is the one that you want.
I will say that Microsoft's release was confusing (not inappropriately so -- the matrix of affected software isn't as simple as it normally is) and that will generate some very poor advice, but where's the fire? I haven't seen any hoaxes at the moment and none were cited... so, where's the fire? 

            -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: