September 15th, 2004, 09:42 PM
Re: The Really Worrying Thing is...
Originally posted here by Simple Simon
If MicroSoft have known about it for so long, and given the vulnerabilities danger ranking (assigned by MicroSoft), why isn't the patch in SP2? May be I've missed something here?
This bug is obviously involved with some code that is pretty tightly woven into the OS.. Just look at how wide spread the problem is to see how common this code is. I'm sure most of the time spent on this bug was fixing the extensive coding issue that they obviously have. Eeye is a damn good vulnerability finder, so I'm sure it didn't take more than a couple of days for MS to verify what Eeye gave them. It really isn't easy to update code on that many different products. A lot of compatibility testing is involved. Because you know if they released a patch that crashed the server they would be crucified for it.
September 15th, 2004, 10:13 PM
Crucufied if you do, crucified if you don't.......
Because you know if they released a patch that crashed the server they would be crucified for it.
The benefit here is that EEye found it a year ago and it wasn't exploited to any degree known. Thus, the non-disclosure works. M$ had time to deal with an inherent issue in many of it's products, they obviously kept in touch with EEye as to their progress which kept EEye from going to full disclosure. OTOH, it was sufficiently "secure/obscure" that it took EEye to find it and for the most part we have to think that it went undiscovered by those with malicious intent otherwise it would have become "non-zero day" prior to the patch.
Applause to all involved from me.... it was done right.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
September 18th, 2004, 04:42 AM
Found this today and thought it may help to learn about this jpeg discussion
Microsoft warns of poisoned picture peril
By Kevin Poulsen, SecurityFocus Sep 14 2004 5:54PM
The old bromide that promises you can't get a computer virus by looking at an image file crumbled a bit further Tuesday when Microsoft announced a critical vulnerability in its software's handling of the ubiquitous JPEG graphics format.
The security hole is a buffer overflow that potentially allows an attacker to craft a special JPEG file that would take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs. The poisoned picture could be displayed on a website, sent in e-mail, or circulated on a P2P network.
Windows XP, Windows Server 2003 and Office XP are vulnerable. Older versions of Windows are also at risk if the user has installed any of a dozen other Microsoft applications that use the same flawed code, the company said in its advisory. The newly-released Windows XP Service Pack 2 does not contain the hole, but vulnerable versions of Office running atop it can still be attacked if left unpatched. Patches are available from Microsoft's website.
The company said it's not aware of the hole being publicly exploited in the wild, and has not seen any examples of proof of concept code.
The JPEG bug rounds out a growing menagerie of vulnerabilities in code that displays image files. Mozilla developers last month patched the open-source browser against a critical hole discovered in a widely-deployed library for processing PNG images. And last July, Microsoft simultaneously fixed two image display holes in Internet Explorer: one made users potentially vulnerable to maliciously-crafted BMP images, the second to corrupt GIF files. The GIF bug had been publicly disclosed 11 months earlier.
There was a time when the idea of a malicious image file was absurd enough to be the topic of an April Fools joke. One early and widely-circulated hoax message dating from 1994 warned users of a computer virus infecting the comment field of JPEG files.
"It was someone saying that just looking at a JPEG on your screen can get you a virus," recalls Rob Rosenberg, editor of the debunking site Vmyths.com. "In '94 it was a myth, but in '04 it's the real thing... We've got the JPEG of death now."