[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41559FA2.6080805@linuxbox.org>
Date: Sat, 25 Sep 2004 18:41:06 +0200
From: Gadi Evron <ge@...uxbox.org>
To: John Bissell <monkey321_1@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Microsoft's GDI Detetection Tool faults
> Everyone better start getting the good patch soon before the new Sasser worm begins to spread! It's only a matter of time...
I have some things to say to you, and others. Then I will elaborate on
_yet_another_ JPEG vulnerability.
I'll reply in the following order:
1. Patches are good.
2. Doomsday worms.
3. Media hype.
4. *New* JPEG vulnerability.
(Let's hype it!)
Although installing patches and checking for new patches is sound
advice, and although this vulnerability has potential for harm, I just
don't get it.
Why go around spreading fear of a "doomsday worm"? If a worm shows up,
it will. The social engineering risk of this vulnerability is
considerably higher/easier than that of others in the past. Yet, there
were similar vulnerabilities that ended up not "working out" for the bad
guys.
Are "viruses" as a group going to employ this? Absolutely. I am positive
of that fact.
Is it going to be huge? It might, I just don't see any reason to commit
to it. It might just as simply be forgotten by next month's MS security
patch release.
Picking out one security issue a month and hyping it is bad policy, and
I wish security experts would stop playing along with the media on this.
Unlike some other vulnerabilities, this one is relatively easy to cope
with in a "virus scan". Although compressed and thus problematic, the
JPEG format is very orderly and simple. Any tampered JPEG would be
discovered from a distance if somebody just looked.
AV and IDS tools detect it, and people download the patches. That's good
enough and as good as anything we can do.
Those who do not install, update and use an AV, or fail to install
patches will fall, as they always do. But how is that different than
with any other worm?
Malware will appear that will use this, and in fact - a creation kit
already appeared this Friday, but please.. please.. I beg of you (not
you specifically) - stop the media hype of the situation.
People should be aware of the risks, protect themselves and not believe
everything they see online. Throwing populations into a fit over this
worm or that may be profitable, but it sure as hell won't solve the main
issues.
That's all just wishful thinking, though.
There was a second problem with JPEGs, discovered by Maik Morgenstern,
AV-Test.org.
They found a picture that was tampered to kill IE, different from the
problem disclosed in MS04-028 and discovered a year ago (!!).
(a year.. makes you wonder, did they wait to release SP2 and what else
is waiting for us that miraculously doesn't effect SP2?).
Unlike that vulnerability, this one works on SP2 but doesn't seem to be
exploitable.
According to AV-Test.org/de, this was found in-the-wild. I am not their
spokesman, although I am rather enthusiastic about their work. I only
wish to stress the point that there is life beyond the monthly media-pick.
Gadi Evron.
Powered by blists - more mailing lists