lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sat, 25 Sep 2004 18:41:06 +0200
From: Gadi Evron <ge@...uxbox.org>
To: John Bissell <monkey321_1@...mail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Microsoft's GDI Detetection Tool faults


> Everyone better start getting the good patch soon before the new Sasser worm begins to spread! It's only a matter of time...

I have some things to say to you, and others. Then I will elaborate on 
_yet_another_ JPEG vulnerability.

I'll reply in the following order:
1. Patches are good.
2. Doomsday worms.
3. Media hype.
4. *New* JPEG vulnerability.
    (Let's hype it!)

Although installing patches and checking for new patches is sound 
advice, and although this vulnerability has potential for harm, I just 
don't get it.

Why go around spreading fear of a "doomsday worm"? If a worm shows up, 
it will. The social engineering risk of this vulnerability is 
considerably higher/easier than that of others in the past. Yet, there 
were similar vulnerabilities that ended up not "working out" for the bad 
guys.

Are "viruses" as a group going to employ this? Absolutely. I am positive 
of that fact.

Is it going to be huge? It might, I just don't see any reason to commit 
to it. It might just as simply be forgotten by next month's MS security 
patch release.

Picking out one security issue a month and hyping it is bad policy, and 
I wish security experts would stop playing along with the media on this.

Unlike some other vulnerabilities, this one is relatively easy to cope 
with in a "virus scan". Although compressed and thus problematic, the 
JPEG format is very orderly and simple. Any tampered JPEG would be 
discovered from a distance if somebody just looked.

AV and IDS tools detect it, and people download the patches. That's good 
enough and as good as anything we can do.

Those who do not install, update and use an AV, or fail to install 
patches will fall, as they always do. But how is that different than 
with any other worm?

Malware will appear that will use this, and in fact - a creation kit 
already appeared this Friday, but please.. please.. I beg of you (not 
you specifically) - stop the media hype of the situation.

People should be aware of the risks, protect themselves and not believe 
everything they see online. Throwing populations into a fit over this 
worm or that may be profitable, but it sure as hell won't solve the main 
issues.
That's all just wishful thinking, though.

There was a second problem with JPEGs, discovered by Maik Morgenstern, 
AV-Test.org.
They found a picture that was tampered to kill IE, different from the 
problem disclosed in MS04-028 and discovered a year ago (!!).

(a year.. makes you wonder, did they wait to release SP2 and what else 
is waiting for us that miraculously doesn't effect SP2?).

Unlike that vulnerability, this one works on SP2 but doesn't seem to be 
exploitable.

According to AV-Test.org/de, this was found in-the-wild. I am not their 
spokesman, although I am rather enthusiastic about their work. I only 
wish to stress the point that there is life beyond the monthly media-pick.

	Gadi Evron.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ