| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4149B975.29012.AA846794@localhost> From: nick at virus-l.demon.co.uk (Nick FitzGerald) Subject: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability Barry Fitzgerald wrote: > Why did this need a Vmyths advisory? > > So far, I haven't read any disinformation in the media regarding this. > A virus can actually be embedded in the file with this vulnerability > (or, any program, really) and the vulnerable programs really can be > exploited using the jpeg files. I don't think this is at all comparible > to an april fools joke or a steganography-using malware implementation > -- they're completely different than this. > > If you want a prediction, my experience would indicate that this is more > likely to be utilized than it is to not be utilized. Perhaps not in > mass-use by attackers, but I would predict that we're probably going to > see one or two, at least, adware/spyware distributors using this. It's > the kind of hole that they love. So, yeah, patch away - as usual. I tend to agree with Barry (no relation) here. The buffer overflow in IE's handling of .BMP files, "found within five minutes of the Win2K source code leak", _was_ actively exploited by spammers to push out a small program that downloaded and installed other malware/spyware. It was never much of a story as it was used at a rather low rate (at least if your Email address was not in a domain where Russian versions of Windows were likely to be found) and it (probably) only worked on Russian Win2K SP1 (from memory; and then maybe only if you hadn't upgraded to IE 6.0?) due to the address used for the "jump back to overflow payload" instruction. Anyway, the point is, some enterprising hacker/spammer obviously felt that vulnerability could provide enough of an edge for some perceived market such that it was worth their time to explore further and develop a working exploit. > I think that what people should take away from this is that files are > input and programs shouldn't just explicitely trust input ... Well, sometimes they _must_. If so, such programs must be written especially carefully with much thought paid to designing safe exception detection. This is clearly a case where that has not happened (and is very similar to recent issues in imlib and other *nix-ish graphics libraries, zlib and so on as reported over the last few weeks). > ... -- but they > often do, or their trust controls are circumvented, and bad nasty files > can do damage. So the moral of the story is: be careful who you get > your software from, because you have to load files which means that the > vendor that trusts the input the least is the one that you want. Indeed. > I will say that Microsoft's release was confusing (not inappropriately > so -- the matrix of affected software isn't as simple as it normally is) > and that will generate some very poor advice, but where's the fire? I > haven't seen any hoaxes at the moment and none were cited... so, where's > the fire? 8-) The real question is... If there are no "hoaxes" or undue media hype about this, will Rob claim that his "warning" saved us from the devastation of the hypesters?? (Sorry Rob, couldn't resist...) -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854
Powered by blists - more mailing lists