[Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability

Discussion in 'Virus Information' started by Rob Rosenberger, Sep 15, 2004.

  1. Vmyths.com Virus Hysteria Alert
    Truth About Computer Security Hysteria
    {15 September 2004, 01:55 CT}

    CATEGORIES: (1) Misconceptions about a real computer security threat
    (2) A historical perspective on recent hysteria

    Microsoft has issued a "critical" alert regarding a "buffer overrun" in software it uses to display JPEG images. In theory, if you try to view a specially crafted JPEG file, it could take over your computer and do whatever it wishes. Microsoft has released a security patch to fix this buffer overrun. Vmyths urges you to download the patch, install it, and get on with your life.

    Buffer Overrun in JPEG Processing Could Allow Code Execution:
    http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

    Vmyths believes media outlets will POUNCE on this story, because (a) Microsoft announced a "critical" vulnerability in the way its software reads an ubiquitous file type, and (b) computer emergency response teams have issued their own alerts. Watch for breathless speculation and hysteria in the coming days. Some naïve system administrators may tell reporters they'll delete JPEG files from emails and refuse to let web browsers display JPEG files, "strictly as a precaution." (We don't expect anyone will implement this Draconian measure for very long. We believe too many users will clamor against it.)

    Remember this when virus hysteria strikes:
    http://Vmyths.com/resource.cfm?id=31&page=1

    Microsoft's "JPEG Processor" vulnerability manifests itself as a buffer overrun in a piece of software. It is NOT caused by the JPEG file format itself. Buffer overruns are extremely common: you'll find them in almost every large software application (even antivirus software). They can create situations where even a filename itself can wreak havoc. By definition, every buffer overrun will eventually join its brothers in the land of obscurity.

    Buffer overruns in antivirus software:
    http://zdnet.com.com/2100-11-515441.html

    The "Code Red" worms successfully exploited a buffer overrun in 2001, and Vmyths believes some reporters will allude to this -- as if to imply a horrific JPEG attack may be just around the corner. Buffer overruns are extremely common, yet they only rarely ever get exploited. Researcher Georgi Guninski, for example, publishes "proof of concept" exploits for many of the "critical" buffer overruns he finds. Guninski's exploits have never made a splash despite his best efforts.


    A little history -- this isn't the first time an image file format has come under fire. An April Fool's joke targeted JPEG files a decade ago:

    1994 April Fool "JPEG virus" alert:
    http://www.2meta.com/april-fools/1994/JPEG-Virus.html

    In 2001, researchers claimed a specially crafted GIF file could be used to cause a buffer overrun in Microsoft Outlook. It was purely a coincidence that a GIF file could exploit this threat.

    In 2002, the "Perrun" virus added software to the computers it infected, then it modified the Windows registry so future viruses could "ride" inside a JPEG file. The virus writer could have chosen to do the same thing with GIF files or even TEXT files. Antivirus vendor Sophos urged restraint over the Perrun virus, saying "some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves."

    McAfee gets slapped in 2002 for "JPEG virus" alert:
    http://www.sophos.com/virusinfo/articles/perrun.html


    Vmyths suspects a hoax virus alert will arise with instructions to delete the JPEG registered file type in Windows. (It's practically a self-fulfilling prophesy.) Such a hoax will play on the user's misconception of the threat. Don't take unsolicited advice from people who are NOT experts. Users will self-damage their operating systems if they delete the JPEG registered file type.

    False Authority Syndrome
    http://Vmyths.com/fas/fas1.cfm

    Stay calm. Stay reasoned. And stay tuned to Vmyths.

    Rob Rosenberger, editor
    http://Vmyths.com

    (319) 646-2800

    Acknowledgements:
    Phone call from Kevin Poulsen, SecurityFocus

    CATEGORIES: (1) Misconceptions about a real computer security threat
    (2) A historical perspective on recent hysteria

    --------------- Useful links ------------------

    Common clichés in the antivirus world
    http://Vmyths.com/resource.cfm?id=22&page=1
     
    Rob Rosenberger, Sep 15, 2004
    #1
    1. Advertisements

  2. CERTs like the US CERT.... { not the king w/Retsyn ;-) }



    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Technical Cyber Security Alert TA04-260A
    Microsoft Windows JPEG component buffer overflow

    Original release date: September 16, 2004
    Last revised: --
    Source: US-CERT

    Systems Affected

    This vulnerability affects the following Microsoft Windows operating
    systems by default:

    * Microsoft Windows XP and Microsoft Windows XP Service Pack 1
    * Microsoft Windows XP 64-Bit Edition Service Pack 1
    * Microsoft Windows XP 64-Bit Edition Version 2003
    * Microsoft Windows Server 2003
    * Microsoft Windows Server 2003 64-Bit Edition

    Other Microsoft Windows operating systems, including systems running
    Microsoft Windows XP Service Pack 2, are not affected by default.
    However, this vulnerability may affect all versions of the Microsoft
    Windows operating systems if an application or update installs a
    vulnerable version of the gdiplus.dll file onto the system.

    Please note that this vulnerability affects any software that uses the
    Microsoft Windows operating system or Microsoft's GDI+ library to
    render JPEG graphics. Please see Systems Affected section of the
    vulnerability note to determine if third-party software is affected. A
    list of affected Microsoft products is available in Appendix B, or for
    the complete list of affected and non-affected Microsoft products,
    please see Microsoft Security Bulletin MS04-028.

    Overview

    Microsoft's Graphic Device Interface Plus (GDI+) contains a
    vulnerability in the processing of JPEG images. This vulnerability may
    allow attackers to remotely execute arbitrary code on the affected
    system. Exploitation may occur as the result of viewing a malicious
    web site, reading an HTML-rendered email message, or opening a crafted
    JPEG image in any vulnerable application. The privileges gained by a
    remote attacker depend on the software component being attacked.

    I. Description

    Microsoft Security Bulletin MS04-028 describes a remotely exploitable
    buffer overflow vulnerability in Microsoft's Graphic Device Interface
    Plus (GDI+) JPEG processing component. Attackers can exploit this
    vulnerability by convincing a victim user to visit a malicious web
    site, read an HTML-rendered email message, or otherwise view a crafted
    JPEG image with a vulnerable application. No user intervention is
    required beyond viewing an attacker-supplied JPEG image.

    Any applications (Microsoft or third-party) that use the GDI+ library
    to render JPEG images may present additional attack vectors for this
    vulnerability. While some applications use the Windows operating
    system version of the GDI+ library, other applications may install and
    use another version, which may also be vulnerable. Microsoft has
    created a GDI+ Detection Tool to help detect products that may contain
    a vulnerable version of the JPEG parsing component. Microsoft
    Knowledge Base Article 873374 provides instructions on how to download
    and use this tool.

    In addition to running Microsoft's detection utility, we recommend
    searching your system for "gdiplus.dll" to help determine what
    third-party applications may be affected by this vulnerability. Also
    note that applications may re-install a vulnerable version of the GDI+
    library if re-installed after a patch has been applied.

    We are tracking this vulnerability in Vulnerability Note VU#297462.
    This reference number corresponds to CVE candidate CAN-2004-0200.

    II. Impact

    Remote attackers exploiting the vulnerability described above may
    execute arbitrary code with the privileges of the user running the
    software components being attacked.

    III. Solution

    Apply patches from Microsoft

    Apply the appropriate patches as specified in Microsoft Security
    Bulletin MS04-028. Please note that this bulletin provides several
    updates to the operating system and various applications that rely on
    GDI+ to render JPEG images. Depending on your system's configuration,
    you may need to install multiple patches.

    In addition to releasing some patches on Windows Update, Microsoft has
    released some patches on Office Update, and developer tool patches are
    available from MS04-028.

    Apply patches from third-party vendors

    Third-party software that relies on GDI+ to render JPEG images may
    also need to be updated. Apply the appropriate patches specified by
    your vendor. Please see the your vendor's site and the Systems
    Affected section of the vulnerability note for more information.
    Depending on your system's configuration, you may need install
    multiple patches.

    Follow Microsoft recommendations for workarounds

    Microsoft provides several workarounds for this vulnerability. Note
    that these workarounds do not remove the vulnerability from the
    system, and they will limit functionality. Please consult the
    "Workarounds for JPEG Vulnerability - CAN-2004-0200" section of
    Microsoft Security Bulletin MS04-028.

    Appendix A. References

    * Microsoft Security Bulletin MS04-028 -
    <http://microsoft.com/technet/security/bulletin/MS04-028.asp>
    * Microsoft End User Security Bulletin for MS04-028 -
    <http://www.microsoft.com/security/bulletins/200409_jpeg.mspx>
    * US-CERT Vulnerability Note VU#297462 -
    <http://www.kb.cert.org/vuls/id/297462>
    * Microsoft KB Article 873374 -
    <http://support.microsoft.com/?id=873374>
    * CVE CAN-2004-0200 -
    <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0200>

    Appendix B. Affected Microsoft Products

    The following Microsoft Products are affected:
    * Microsoft Office XP Service Pack 3
    * Microsoft Office XP Service Pack 2
    * Microsoft Office XP Software:
    + Outlook 2002
    + Word 2002
    + Excel 2002
    + PowerPoint 2002
    + FrontPage 2002
    + Publisher 2002
    * Microsoft Office 2003
    * Microsoft Office 2003 Software:
    + Outlook 2003
    + Word 2003
    + Excel 2003
    + PowerPoint 2003
    + FrontPage 2003
    + Publisher 2003
    + InfoPath 2003
    + OneNote 2003
    * Microsoft Project 2002 Service Pack 1 (all versions)
    * Microsoft Project 2003 (all versions)
    * Microsoft Visio 2002 Service Pack 2 (all versions)
    * Microsoft Visio 2003 (all versions)
    * Microsoft Visual Studio .NET 2002
    * Microsoft Visual Studio .NET 2002 Software:
    + Visual Basic .NET Standard 2002
    + Visual C# .NET Standard 2002
    + Visual C++ .NET Standard 2002
    * Microsoft Visual Studio .NET 2003
    * Microsoft Visual Studio .NET 2003 Software:
    + Visual Basic .NET Standard 2003
    + Visual C# .NET Standard 2003
    + Visual C++ .NET Standard 2003
    + Visual J# .NET Standard 2003
    * The Microsoft .NET Framework version 1.0 SDK Service Pack 2
    * Microsoft Picture It! 2002 (all versions)
    * Microsoft Greetings 2002
    * Microsoft Picture It! version 7.0 (all versions)
    * Microsoft Digital Image Pro version 7.0
    * Microsoft Picture It! version 9 (all versions, including Picture
    It! Library)
    * Microsoft Digital Image Pro version 9
    * Microsoft Digital Image Suite version 9
    * Microsoft Producer for Microsoft Office PowerPoint (all versions)
    * Microsoft Platform SDK Redistributable: GDI+
    * Internet Explorer 6 Service Pack 1
    * The Microsoft .NET Framework version 1.0 Service Pack 2
    * The Microsoft .NET Framework version 1.1
    _________________________________________________________________

    Feedback can be directed to the US-CERT Technical Staff.
    _________________________________________________________________

    This document is available from:

    <http://www.us-cert.gov/cas/techalerts/TA04-260A.html>

    _________________________________________________________________

    Copyright 2004 Carnegie Mellon University.

    Terms of use: <http://www.us-cert.gov/legal.html>
    _________________________________________________________________

    Revision History

    Sept 16, 2004: Initial release
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.1 (GNU/Linux)

    iQEVAwUBQUnrRhhoSezw4YfQAQJUHQf/RWwQLPaATa/RdE+j8PLEiJdLlh17XxaR
    b0/irS0+Sx83t7HAuWgQdZR4xu5qIkUuWYKCTEPNHNXfwSNJc6LE3/MfoEurFVzE
    SdChZa3/q3rc3631COon9B8yNVvUQqaQIe3BjwwJWlaj4F9Su9QrcO7N6JpVuJsW
    dc0FuiVy/fJB2Jji+31q3krekW2BHuTA0I7TUaahwy18RHnJDNPUgldQenf8+A6E
    Y8G98ofdruO/zR5jIceRKpd2lTWFamQmV5IgvH25LoXro1negtS72SkqWl4zqVyK
    12bfvjkFWqRhociMssA4ehz52SqUT71lZCyxFkqtrNiJuDJrkgek3w==
    =CCT/
    -----END PGP SIGNATURE-----
     
    David H. Lipman, Sep 17, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.