[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <415999E9.5020403@sdf.lonestar.org>
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: Re: Full-Disclosure digest, Vol 1 #1933 - 20
msgs
milw0rm Inc. wrote:
>JPEG GDI problem,
>
>Isn't this problem only capable of running if the jpeg was opened via
>the users actions?
>
>Is it possible that webpages could be effected with jpegs with
>internet explorer viewing them? I wouldn't think so since what I have
>read from multiple peoples articles that it isn't this kind of bug.
>
>Info needed.
>
>Regards,
>str0ke
>
>
>
>
Here's my understanding of it:
The bug can be exploited whenever an application that relies on a
vulnerable version of gdiplus.dll to render jpeg image files onscreen
(Or, I suppose, in any other way that gdiplus.dll can be used to process
jpegs - I'm not familiar with the GDI+ interface).
That includes IE, Office applications, or anything that relies on a
vulnerable gdiplus.dll file.
What are the ramifications of this?
I think that the predictions of worms based on this are a bit
far-fetched. Would it be possible to create a jpeg that would copy
itself to other drives on a shared network in an auto-executable
position? I suppose so... however, it would be noisy and probably
wouldn't be amazingly successful. Having a worm installer within a jpeg
is plausable, though.
I'd consider the following scenarios to be plausable:
- JPEG in nefarious web page includes malicious code.
- JPEG in SPAM includes malicious code.
- JPEG in mass-mailer worm includes malicious code.
- JPEG in ad pop-up/sidebar includes adware/spyware installer.
(malicious)
- Mass-mailer worm includes an attachment for a known vulnerable
third-party program that trigger the GDI+ vuln. (how sucessful this
might be would depend on the application being attacked.)
- Download.Jecht style mass-compromise of websites to embed
malicious code inside of JPEGs.
Those are the most plausable scenarios I can think up for this.
Anything else is unlikely in my thoughts.
-Barry
Powered by blists - more mailing lists