Sept 15 -- Windows Users, JPG vulnerability found

[Keith]

Please update your Windows installation as soon as possible:
http://windowsupdate.microsoft.com

There is a new JPG vulnerability that can allow arbitrary code to be
run on your computer.

More details are found at this link:
http://www.wired.com/news/infostructure/0,1377,64959,00.html?tw=wn_tophead_6
and here:
http://www.microsoft.com/security

Keith -- Easynews Support

[markus.support]

On Wed, 15 Sep 2004 18:08:07 GMT, str8 <st...@easynews.invalid> wrote:

>It never ends, does it?

Doesn't seem to, but at least MS is getting faster at fixing
things....hopefully.

- mark -

[Keith]

Something to do with loading a >2GB file...I think.

So don't go loading those random >2GB images you see posted
like spam!

Keith -- Easynews Support
http://forum.easynews.com

[swany]

Tim <timmib...@excite.not.com> wrote:
>Hi,
>
>I just did a fast snooping and didn't really find anything about
>the 'vulnerability'. Would anyone in support have a more technical
>reference than the two articles Keith pointed to? That is, the
>ability to embed one file within a jpg image file has been known
>and used for several years. What is happening now to raise an
>issue?
>
>TIA
>
>Be well,
>
>Tim
>

It is possible to "malform" a jpeg so that arbitrary code can be executed on Windows
machines that use GDI to load and view images. From what I can gather, most likely
the GDI library call that loads JPEG images has a buffer overflow. Since many
windows applications use the the GDI library to convert JPEG, bitmap and other image
formats into DIB (device independant bitamps) this bug is likely to be very easily
exploited. Because so many JPEGs are posted to Usenet, and because simply attempting
to view the image can cause your machine to become compromised, we highly recommend
that you patch immediately.

Images sent via e-mail could also trigger the bug, so I expect a new worm will be
created to exploit this vulnerability fairly quickly.
--

This .sig file has been removed to make room for other .sig files.

[swany]

yak <sp...@hormel.com> wrote:
> ... There are only are few programs that are vulnerable to this. I did the
> windows update for nothing, heh.
>

I strongly disagree, and Microsoft doesn't release "critical" updates for nothing.

Since Windows Explorer (which is just one component of XP that is vulnerable,
others include Paint, Picture Viewer, and Wordpad) is vulnerable to the bug, along
with any other apps that use GDI+ this is a highly exploitable and very dangerous
vulnerability.

Directly from the Wired article:
"The one thing that makes this a bit different is that it affects so many
applications," said Craig Schmugar, a virus research manager at McAfee. "Home users
should definitely roll this (patch) out as soon as possible."
..

and from the MS bulletin:
This issue affects software that supports this image format, including some
versions of Microsoft Windows, Microsoft Office, and Microsoft developer tools. If
you have any of the listed software installed on your computer, you should install
the related update.
..

Any applications that load JPEG images using GDI+ library calls are most likely
vulnerable. Applications that use custom code to load JPEG images are most likely
not vulnerable.

[Stuart]

In article <MPG.1bb275a4a...@proxy.news.easynews.com>,
sp...@hormel.com says...
> In article <4c22d.47$DX.17...@news.easynews.com>, n...@email.supplied
> says...

> Well, I ran the update and it told me I didn't have any vulnerable apps
> installed.

FWIW, from

http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

"Important Windows XP Service Pack 2 (SP2) is not affected by this issue.
Windows XP SP2 users only need to update Office (if installed)."

Which begs the question, why did this thing appear on the critical update
list for SP2? Have I installed some kind of vulnerability checker, and if
so, how do I access it again, say, after installing some software which
may have re-opened the vulnerability? Would I need to?

--
Stuart

[Uni]

Another good reason to switch to Linux.

:-)

Uni

[swany]

str8 <st...@easynews.invalid> wrote:
>I don't know. Maybe you could take a survey. It can be a short one. It'd
>ask customers something like this:
>
> Given that Microsoft has known what buffer overflows are
> for quite some many years now, would you rather they spend
> the next year stamping out such exploits and making the
> base code stable and secure, or would you rather they work
> on 3D desktops?
>

Actually, I occasionally get paid to take surveys via a third party survey company and
they very recently had just such a survey from Microsoft.

It wasn't as direct as that, but that was basically the type of questions they were
asking.

[swany]

>FWIW, from
>
>http://www.microsoft.com/security/bulletins/200409_jpeg.mspx
>
>"Important Windows XP Service Pack 2 (SP2) is not affected by this issue.
>Windows XP SP2 users only need to update Office (if installed)."
>
>Which begs the question, why did this thing appear on the critical update
>list for SP2? Have I installed some kind of vulnerability checker, and if
>so, how do I access it again, say, after installing some software which
>may have re-opened the vulnerability? Would I need to?
>
>--
>Stuart
>

The related download for XP SP2 is a checker for vulnerable apps. Some apps improperly included
their own version of gdiplus.dll instead of using the one included with Windows. The older versions
of the dll included with those apps needs to be replaced with the newer version, otherwise those apps
will still be vulnerable to the bug.

If you have any apps that need upgraded, the update checker will take you to the updates page.

[swany]

Uni <no.e...@no.email.invalid> wrote:
>Another good reason to switch to Linux.
>
>:-)
>
>Uni
>
>

Thats a bogus reason to switch to Linux as far as I am concerned. Open source
software doesn't in general have less vulnerabilities than closed source software.
The vulnerabilities tend to get noticed quicker (in some cases) than others and
sometimes fixed faster, but users have just as hard a time, if not harder,
upgrading packages and keeping their Linux machines secure as Windows users.

[Stuart]

In article <lbl2d.61$DX.22...@news.easynews.com>, n...@email.supplied
says...
<snip>

> The related download for XP SP2 is a checker for vulnerable apps. Some apps improperly included
> their own version of gdiplus.dll instead of using the one included with Windows. The older versions
> of the dll included with those apps needs to be replaced with the newer version, otherwise those apps
> will still be vulnerable to the bug.
>
> If you have any apps that need upgraded, the update checker will take you to the updates page.

The question is, what happens /after/ I've run the update checker, and
then install such a vulnerable app? Will it be blocked, automatically
upgraded, or will I need to run the update checker again? If so, how?
Not that this will be a problem for me, but it is sure to be for someone.

--
Stuart

[Bart Van Hemelen]

Stuart <stu...@knapton.clara.co.uk> spake thus on the subject of "" in
easynews.support on Wed, 15 Sep 2004 23:57:43 GMT:

> http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

Went to that page in Mozilla, guess what: the button to check for
vulnerabilities doesn't work. I needed to start up IE to get that page to
work.

--
--
Bart Van Hemelen
--------------------------------------------------------------------------
lots of useful information (downloading from usenet, EasyNews features,...)
here:
http://users.pandora.be/bvh2000/useful.html
--------------------------------------------------------------------------

[Blair]

"swany" <n...@email.supplied> wrote in message
news:Sfl2d.62$DX.22...@news.easynews.com...

The real question is: does anyone even need a reason to switch to a
different OS? At this point, my answer would be no.

---
Blair
EasyNews Support

[Uni]

swany wrote:
> Uni <no.e...@no.email.invalid> wrote:
>
>>Another good reason to switch to Linux.
>>
>>:-)
>>
>>Uni
>>
>>
>
>
> Thats a bogus reason to switch to Linux as far as I am concerned. Open source
> software doesn't in general have less vulnerabilities than closed source software.
> The vulnerabilities tend to get noticed quicker (in some cases) than others and
> sometimes fixed faster, but users have just as hard a time, if not harder,
> upgrading packages and keeping their Linux machines secure as Windows users.

S', at one time I respected Microsoft. However, they are so slow at
dealing with security issues, these days. If you use Microsoft software,
you're a sitting duck for trouble. Heck, even one of your colleagues
mentioned something about vulnerability with .JPG files and Microsoft
software.

After I reading this site, you'll understand why:
http://www.hevanet.com/peace/microsoft.htm

Best regards,
Uni

[Uni]

Bart Van Hemelen wrote:
> Stuart <stu...@knapton.clara.co.uk> spake thus on the subject of "" in
> easynews.support on Wed, 15 Sep 2004 23:57:43 GMT:
>
>
>>http://www.microsoft.com/security/bulletins/200409_jpeg.mspx
>
>
> Went to that page in Mozilla, guess what: the button to check for
> vulnerabilities doesn't work. I needed to start up IE to get that page to
> work.

Microsoft ensures that the only browser that will work with their site
is Internet Explorer (AKA The Sitting Duck of Adware/Spyware). Microsoft
wants so badly to take over the internet.

Uni

[Uni]

Jaimie Vandenbergh wrote:
> On Fri, 17 Sep 2004 04:02:45 GMT, Robin Banks
> <rbn_...@REMOVEhotmail.com> wrote:

>
>
>>On Fri, 17 Sep 2004 03:11:16 GMT, Uni <no.e...@no.email.invalid> wrote:
>>
>>
>>>Microsoft ensures that the only browser that will work with their site
>>>is Internet Explorer (AKA The Sitting Duck of Adware/Spyware). Microsoft
>>>wants so badly to take over the internet.
>>

>>Get off it, grow up, stop seeing black helicopters where they are none.
>
>
> I see a greyed-out button in Firefox. What black helicopter?

More like a black cloud over you, if you use Microsoft software.

:-)

Uni

>