lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: [Vmyths.com ALERT] Hysteria predicted for 'JPEG
 Processor' vulnerability

Rob Rosenberger wrote:

>Vmyths.com Virus Hysteria Alert
>Truth About Computer Security Hysteria
>{15 September 2004, 01:55 CT}
>
>CATEGORIES: (1) Misconceptions about a real computer security threat
>            (2) A historical perspective on recent hysteria
>
>Microsoft has issued a "critical" alert regarding a "buffer overrun" in software it uses to display JPEG images.  In theory, if you try to view a specially crafted JPEG file, it could take over your computer and do whatever it wishes.  Microsoft has released a security patch to fix this buffer overrun.  Vmyths urges you to download the patch, install it, and get on with your life.
>
>   Buffer Overrun in JPEG Processing Could Allow Code Execution:
>      http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
>
>  
>
Why did this need a Vmyths advisory?

So far, I haven't read any disinformation in the media regarding this.  
A virus can actually be embedded in the file with this vulnerability 
(or, any program, really) and the vulnerable programs really can be 
exploited using the jpeg files.  I don't think this is at all comparible 
to an april fools joke or a steganography-using malware implementation 
-- they're completely different than this.

If you want a prediction, my experience would indicate that this is more 
likely to be utilized than it is to not be utilized.  Perhaps not in 
mass-use by attackers, but I would predict that we're probably going to 
see one or two, at least, adware/spyware distributors using this.  It's 
the kind of hole that they love.  So, yeah, patch away - as usual.

I think that what people should take away from this is that files are 
input and programs shouldn't just explicitely trust input -- but they 
often do, or their trust controls are circumvented, and bad nasty files 
can do damage.  So the moral of the story is: be careful who you get 
your software from, because you have to load files which means that the 
vendor that trusts the input the least is the one that you want.

I will say that Microsoft's release was confusing (not inappropriately 
so -- the matrix of affected software isn't as simple as it normally is) 
and that will generate some very poor advice, but where's the fire?  I 
haven't seen any hoaxes at the moment and none were cited... so, where's 
the fire?

             -Barry


Powered by blists - more mailing lists