September 15th, 2004, 03:43 AM
That thread was BS. He claimed a jpeg would infect any picture viewer, it was really just a .exe renamed as .jpg or something silly. I think the threads author was Grim_reaper or something similar.
As for the exploit....
All it takes is a creative vector to pull it off... Similar to the latest winamp exploit.
AngelicKnight, you would just have to view the picture to get the virus/code to execute on your computer from what I understand, so looking at pop-ups, email, banners, avatars, etc could get you infected.
Theres a list in that link of exploitable software... It would have to be ran in that enviroment to be exploitable. In the list of software that isn't affected, is IE. So avatars, banners, pop-ups... not vulnerable. Unless the vector involves IE.
September 15th, 2004, 04:04 AM
Search for posts by Grim Reaper..
Yes there is such a "Virus" BUT it is in two parts.. the first is the "Extraction" program the other was the "infected" Jpg.. the infection was imbeded in the image useing Stegnos methods..
This exploite works on the "Comment" section of the file and how MS products handle the file.. this is different to stegnos.(useing redundent bits).
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
September 15th, 2004, 05:01 AM
You use to be able to feed AT modem line commands through an ascii picture... I remember all of the dialup BBS's having a lot of fun with that one...
This new bug is pretty nasty.. I like how they say it doesn't affect Win2k unless you are running IE6SP2.. Umm.. how could you not be running IE?? hehe.. definitely make sure that IE isn't opening up any graphic files, or any type of files for that matter..
September 15th, 2004, 05:01 AM
Well, nobody said the JPEG file had to acturally be an image! The moment MS products try to render the JPEG, they copy 4GB of data onto the heap, with whatever this JPEG had inside of it going there. So simply put, this isn't acturally a JPEG that is an image, it is simply an executable that pretends to be an image so that when someone tries to open the image the code it has is copied straight to where it gets executed, and the image doesn't load because it appears to be corrupt. (Just an executable taking advantage of vuln in JPEG loading to get itself executed by the OS)
The bad thing is that someone could burn a CD of images, one of which won't be an image but will use the JPEG Comments bug to infect others, and when Windows decides to thumbnail everything the code is loaded into memory and executed...
There are also the images that are ~5MB in size but easily eat up several hundred MB of RAM while Windows tries to make a thunbnail icon for it. I run into these when working with high-resolution images that are over 5000x5000 pixels in size. I like working on things at least 300dpi for the final prints, but I usually work in at least 600dpi before downsampling to what will be used for the final print.
September 15th, 2004, 07:11 AM
I come across this when i searching for the above subject, and the
WARNING, THE URL MAY CONTAIN VIRUS (90% CHANCE)
DO NOT CLICK ON IT UNLESS YOU ARE ABSOLUTELY SURE ABOUT
WHAT YOU ARE ABOUT TO DO.
I MYSELF HAVENT TRY THAT (I THINK MY COMPANY FIREWALL BLOCK IT)
September 15th, 2004, 08:16 AM
since kate.krashed.org resolves to 127.0.0.3 which in my case also constitutes as localhost..
it doesn't work..
same as hackme.tp2.be (127.0.0.1)..
perhaps it does something more weird on a windows box..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
September 15th, 2004, 11:56 AM
wow. thanks for all the info guys. i think im gonna update my xp pro on that part for the jpeg issues.
When you have eliminated the impossible, whatever remains, however improbable, must be the truth. - Sherlock Holmes
i am NOT a hacker :Þ
September 15th, 2004, 12:22 PM
Originally posted here by ric-o
Here are Microsoft's September security bulletins. The JPEG processing vulnerability is scary: it affects a TON of stuff, pretty much everything (see list below)...
Microsoft Security Bulletin MS04-028:
Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
****SEE LIST OF AFFECTED SOFTWARE****
Microsoft Security Bulletin MS04-027:
Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
we were warned wernt we..
September 15th, 2004, 01:35 PM
The Really Worrying Thing is...
If MicroSoft have known about it for so long, and given the vulnerabilities danger ranking (assigned by MicroSoft), why isn't the patch in SP2? May be I've missed something here?
Courtesey of lumpyporridge
Advisory: September 14, 2004
Reported: October 7, 2003
Tomorrow is another day for yesterdays work!
September 15th, 2004, 04:54 PM
Tsk, tsk. I am surprised at a few of you...
The JPEG file itself is not the issue, look closely at the affected software listed. It is how MS processes the JPEG image, i.e. when opening it in Internet Explorer to view it. The buffer underrun condition overwrites the code used to process the image and PRESTO, instant haxor. So no, this is not steganography but just another example of sloppy unchecked buffers in MS code.
For those interested in steganography, the CDC (cult of the dead cow) has a nice browser called CameraShy which allows you to view image files that have text hidden in them. Of course you will need a few things to be able to see the text but the browser at least alerts you to the fact that these files exist on the site you are on.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden