Closed Thread Icon

Topic awaiting preservation: the JPEG of death : aka possible buffer overflow in some JPEG (Page 1 of 1) Pages that link to <a href="https://ozoneasylum.com/backlink?for=23326" title="Pages that link to Topic awaiting preservation: the JPEG of death : aka possible buffer overflow in some JPEG (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: the JPEG of death : aka possible buffer overflow in some JPEG <span class="small">(Page 1 of 1)</span>\

 
poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted posted 09-16-2004 10:58

Microsoft warns of poisoned picture peril. As it's said in the article, that sort of claim was a good joke in 94, but it's crystal clear that a specially crafted JPEG ( read a jpeg where you've changed only 4 bytes ) could generate a buffer overflow in a poorly coded image library.

InI
Maniac (V) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted posted 09-16-2004 12:46

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

liorean
Bipolar (III) Inmate

From: Umeå, Sweden
Insane since: Sep 2004

posted posted 09-16-2004 13:54

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx - It affects practically every Microsoft product that is produced in house, not only iew. I believe this is a bug in Microsoft's in house graphics libraries.

Well, there recently was a fix for a similar exploit in libpng that moz was affected by. Moz also recently fixed another similar hole in their BMP handling. I would guess saf uses libpng too, and thus have (or rather, had) the same flaw...

--
var Liorean = {
prototype: JavaScriptGuru.prototype,
abode: "http://liorean.web-graphics.com/",
profile: "http://codingforums.com/member.php?u=5798"};

Iron Wallaby
Paranoid (IV) Inmate

From: USA
Insane since: May 2004

posted posted 09-16-2004 14:34

There is a recently discovered buffer overflow in Mozilla/Firefox/Thunderbird of a similar type.

Updating to 1.73/1.0PR/0.8 solves the problem, though.

"Any sufficiently advanced technology is indistinguishable from magic." -- Arthur C. Clarke
"Any sufficiently arcane magic is indistinguishable from technology." -- P. David Lebling

InI
Maniac (V) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted posted 09-16-2004 14:45

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted posted 09-16-2004 14:58

The bugs #83 and #89 in the list of known vulnerabilities in Mozilla adresses possible vulnerabilities in PNG and BMP image libraries as liorean and Iron Wallaby said.

InI: I don't know if the famous Intel JPEG library is vulnerable but actually I won't really be surprised if it were 'cause exploits is based on the assumption that the images have been created in a program and therefore are/should be valid as the before mentioned program handled the image safely. Whatever the fix should be fairly easy, and could simply abort the decoding of an image if its computed size goes beyond the capabilities of the language/operating system/data structure.

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 09-16-2004 15:39

well, the current Microsoft jpeg bug is in the GDI+ Library - which is a part of windows, starting with XP, and could be bolted to 2000.
Therefore, a lot of apps carried their own copies to run on windows 2000.

Here's a quick list, curtesy of heise online

  • Windows XP and Microsoft Windows XP Service Pack 1
  • Windows XP 64-Bit Edition Service Pack 1
  • Windows XP 64-Bit Edition Version 2003
  • Windows Server&#8482; 2003
  • Windows Server 2003 64-Bit Edition
  • Office XP Service Pack 3
  • Office XP Service Pack 3
  • Outlook 2002
  • Word 2002
  • Excel 2002
  • PowerPoint 2002
  • FrontPage 2002
  • Publisher 2002
  • Office 2003
  • Outlook 2003
  • Word 2003
  • Excel 2003
  • PowerPoint 2003
  • FrontPage 2003
  • Publisher 2003
  • InfoPath 2003
  • OneNote 2003
  • Project 2002 Service Pack 1
  • Project 2003
  • Visio 2002 Service Pack 2
  • Visio 2003
  • Visual Studio .NET 2002
  • Visual Basic .NET Standard 2002
  • Visual C# .NET Standard 2002
  • Visual C++ .NET Standard 2002
  • Visual Studio .NET 2003
  • Visual Basic .NET Standard 2003
  • Visual C# .NET Standard 2003
  • Visual C++ .NET Standard 2003
  • Visual J# .NET Standard 2003
  • Microsoft .NET Framework version 1.0 SDK Service Pack 2
  • Microsoft .NET Framework version 1.0 Service Pack 2
  • Microsoft .NET Framework version 1.1
  • Picture It! 2002
  • Greetings 2002
  • Picture It! version 7.0 (alle Versionen)
  • Digital Image Pro version 7.0
  • Picture It! version 9
  • Digital Image Pro version 9
  • Digital Image Suite version 9
  • Producer for Microsoft Office PowerPoint
  • Microsoft Platform SDK Redistributable: GDI+
  • Internet Explorer 6 Service Pack 1



basically everything from microsoft past 2001 that touches jpegs.

DmS
Maniac (V) Inmate

From: Sthlm, Sweden
Insane since: Oct 2000

posted posted 09-16-2004 20:28

Holy sh*t!
I've read the links and this acually means that if you open/view a "bugified" jpeg in one of these proggies you are vunerable, correct?

I thought I was beyond getting shocked by stuff like this, but crap... this is, just ...

The more I run my little mac instead of the stationary PC, the more I'm considering converting the PC to a linux-server... Things just work without endless patching and warnings all the time...
/Dan

{cell 260} {Blog}
-{ ?Computer games don?t affect kids; I mean if Pac-Man affected us as kids, we?d all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music.? (Kristian Wilson, Nintendo, Inc, 1989.) }-

InI
Maniac (V) Mad Scientist

From: Somewhere over the rainbow
Insane since: Mar 2001

posted posted 09-17-2004 00:10

The poster has demanded we remove all his contributions, less he takes legal action.
We have done so.
Now Tyberius Prime expects him to start complaining that we removed his 'free speech' since this message will replace all of his posts, past and future.
Don't follow his example - seek real life help first.

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted posted 09-30-2004 04:25

Security Update for Internet Explorer 6 Service Pack 1 (KB833989) aka how to waste 1069 Kb.

Notice that the exploit of Windows JPEG Processing Buffer Overrun PoC Exploit (MS04-028) is public, and it shouldn't be long until a wave of "JPEG of Death" attacks poke its nose.

Jestah
Maniac (V) Mad Scientist

From: Long Island, NY
Insane since: Jun 2000

posted posted 09-30-2004 05:20

Linux will probably never gain that sort of foothold in the industry but if it ever did, people would hate it just as they hate Microsoft.

Tyberius Prime
Paranoid (IV) Mad Scientist with Finglongers

From: Germany
Insane since: Sep 2001

posted posted 09-30-2004 07:41

too late. The first trojan JPEGs have popup up in newsgroups, and I've heard about a 'jpeg-builder'. You just specify the url with whatever you wish to be exectued on the victims computer. It downloads and runs that.

sonyafterdark
Obsessive-Compulsive (I) Inmate

From: Bucharest, Romania, Eastern Europe
Insane since: Sep 2004

posted posted 09-30-2004 09:07

MicroSoft software prior to windows 2000 is also affected?
Only MicroSoft software affected?
Are there similar bugs known with other formats? PNGs, maybe?

Keep an open mind and a closed skull but don't outlive your happiness.

poi
Paranoid (IV) Inmate

From: France
Insane since: Jun 2002

posted posted 09-30-2004 09:14

why don't you read the Microsoft Security Bulletin MS04-028 provided above by liorean ?
As of today, a similar vulnerability has been found, and fixed in the LibPNG 1.2.5 and below.

liorean
Bipolar (III) Inmate

From: Umeå, Sweden
Insane since: Sep 2004

posted posted 09-30-2004 16:45

Note that said libpng vulnerability (the one poi is talking about) was fixed in Mozilla and other applications relying on libpng and patched before the vulnerability was made public, so it never was that large a problem. (As you could see in the moz1.7 change logs (think it was 1.7.2, but I'm not sure), the libpng people submitted a patch to it that should have made it's way into all recent moz1.7/1.8 and ff0.9/0.10 builds.)

The GDI+ vulnerability on the other hand is still open for exploitation and some unpatched programs overwrite the new patched version with the old vulnerable version. Notably some programs like Macromedia Dreamweaver, that doesn't even use GDI+. So, just because you've patched your system you aren't entirely safe from it. Microsoft has released a tool to detect and remove the vulnerability.

--
var Liorean = {
prototype: HTMLGuru.prototype,
abode: "http://codingforums.com/",
profile: "http://codingforums.com/member.php?u=5798"};

(Edited by liorean on 09-30-2004 17:20)

« BackwardsOnwards »

Show Forum Drop Down Menu