If you have not been living under a rock (in security terms), you will likely
have
heard something about the GDI+ vulnerability in the past few days. JPEGs and
other files that may be handled in the same way are now potentially "dangerous"
data files.
In 1994 a graphics file was spread via Usenet that contained oddities in the
header,
and at about the same time a virus warning hoax was created that warned of a
viral
JPEG file. Neither of these was, in fact, related to actual malicious
software, but I
did some study on the subject and found header structures in both formats that
could, potentially, have been used as malware vectors, under certain conditions.
The specifics of the current JPEG/GDI+ vulnerability are very difficult to
obtain,
even when you have copies of the various "exploits" that have been released.
However, it does seem to be simply your common or garden buffer overflow. As I
write I am not aware of any specific exploits that have been released with the
intent to use them maliciously. However, given the number of "exploit" samples
that have been released I dare say that it will not be long before we see the
real
ones come out. It is unlikely that viruses will be created using this
vulnerability,
but it is quite probable that viruses will be created that carry graphics files
(likely
pornographic) that will use the vulnerability to open links to malware on Web
sites, or simply open backdoors on machines for exploitation and amalgamation
into botnets of various types.
Microsoft security bulletin MS04-028
(http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx) has some
links that, if you manage to follow them all the way through, will lead you to
a
patch. The Windows and Office Update sites will also provide you with the
patches, but not always easily. (For example, Windows Update seems to insist
that you install SP2 first, although there is a way around this.) Affected
systems
use certain versions of the gdiplus.dll file. The most widespread of the
affected
versions of the file come with Microsoft Windows and Office, 2003 and XP
versions. Other Microsoft (and other vendors) products also have vulnerable
versions of the file.
The file is fairly ubiquitous. I've got eleven copies (and two compressed
copies) of
five different versions of gdiplus.dll on my machine. (Versions of it also
exist
with different file names.) The Microsoft site does provide details of which
version numbers are vulnerable or not--but no information about file sizes or
dates
that might allow you to determine which versions are which. If you follow
links
through from that page there is also a "detection" tool--but it only tells you
that
you *are* vulnerable, rather than identifying specific instances.
SANS also has provided a scanning tool, at http://isc.sans.org/gdiscan.php.
(Actually two, a GUI version and a command line version. The GUI version, as
provided, seems to want a disk in drive F:, but if you tell it to continue
seems to
function.) This tool identifies which versions are vulnerable and which are
not,
and also scans other filenames which are, in fact, renamed copies of the
gdiplus.dll
file, such as:
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\ArcSoft\Software Suite\PhotoImpression
5\Share\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Common Files\Microsoft
Shared\OFFICE11\MSO.DLL
Version: 11.0.6360.0
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and
SP3 w/IE6 SP1 only)
C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL
Version: 6.0.3264.0
Banning JPEGs is unlikely to be effective as a security measure. Untrained
users
will probably not know how to turn off the relevant functions, or be willing to
so
"cripple" their Web browsing. In any case, graphics files of various types can
be
renamed, and Windows will still identify them from internal structures, and run
them through GDI+. Using firewalls to block .jpeg, .jpg, and the various other
normal file extensions would therefore also probably be ineffective in some
cases.
Microsoft has provided some new patches (patches for Office and Windows
apparently have to be installed separately), and others will possibly do so as
well.
It may be difficult to find the appropriate patches for all applications. One
would
assume that all versions of gdiplus.dll could simply be replaced by the latest
(safe)
version, but, knowing the industry, one would probably be wrong.
====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu
You have all the characteristics of a popular politician:
a horrible voice, bad breeding, and a vulgar manner. - Aristophanes
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
------------------------ Yahoo! Groups Sponsor --------------------~-->
$9.95 domain names from Yahoo!. Register anything.
http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/kgFolB/TM
--------------------------------------------------------------------~->
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/CISSP-Discuss/
<*> To unsubscribe from this group, send an email to:
CISSP-Discuss-unsubscribe@yahoogroups.com
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
