milw0rm Inc. wrote:
JPEG GDI problem,
Isn't this problem only capable of running if the jpeg was opened via
the users actions?
Is it possible that webpages could be effected with jpegs with
internet explorer viewing them? I wouldn't think so since what I have
read from multiple peoples articles that it isn't this kind of bug.
Info needed.
Regards,
str0ke
Here's my understanding of it:
The bug can be exploited whenever an application that relies on a
vulnerable version of gdiplus.dll to render jpeg image files onscreen
(Or, I suppose, in any other way that gdiplus.dll can be used to process
jpegs - I'm not familiar with the GDI+ interface).
That includes IE, Office applications, or anything that relies on a
vulnerable gdiplus.dll file.
What are the ramifications of this?
I think that the predictions of worms based on this are a bit
far-fetched. Would it be possible to create a jpeg that would copy
itself to other drives on a shared network in an auto-executable
position? I suppose so... however, it would be noisy and probably
wouldn't be amazingly successful. Having a worm installer within a jpeg
is plausable, though.
I'd consider the following scenarios to be plausable:
- JPEG in nefarious web page includes malicious code.
- JPEG in SPAM includes malicious code.
- JPEG in mass-mailer worm includes malicious code.
- JPEG in ad pop-up/sidebar includes adware/spyware installer.
(malicious)
- Mass-mailer worm includes an attachment for a known vulnerable
third-party program that trigger the GDI+ vuln. (how sucessful this
might be would depend on the application being attacked.)
- Download.Jecht style mass-compromise of websites to embed
malicious code inside of JPEGs.
Those are the most plausable scenarios I can think up for this.
Anything else is unlikely in my thoughts.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
