Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability

from [Rob Rosenberger] Network Security [Permanent Link]
Subject: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability
Date: Wed, 15 Sep 2004 12:27:01 -0500 
Vmyths.com Virus Hysteria Alert
Truth About Computer Security Hysteria
{15 September 2004, 01:55 CT}

CATEGORIES: (1) Misconceptions about a real computer security threat
            (2) A historical perspective on recent hysteria

Microsoft has issued a "critical" alert regarding a "buffer overrun" in 
software it uses to display JPEG images.  In theory, if you try to view a 
specially crafted JPEG file, it could take over your computer and do whatever 
it wishes.  Microsoft has released a security patch to fix this buffer overrun. 
 Vmyths urges you to download the patch, install it, and get on with your life.

   Buffer Overrun in JPEG Processing Could Allow Code Execution:
      http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

Vmyths believes media outlets will POUNCE on this story, because (a) Microsoft 
announced a "critical" vulnerability in the way its software reads an 
ubiquitous file type, and (b) computer emergency response teams have issued 
their own alerts.  Watch for breathless speculation and hysteria in the coming 
days.  Some naïve system administrators may tell reporters they'll delete JPEG 
files from emails and refuse to let web browsers display JPEG files, "strictly 
as a precaution."  (We don't expect anyone will implement this Draconian 
measure for very long.  We believe too many users will clamor against it.)

   Remember this when virus hysteria strikes:
      http://Vmyths.com/resource.cfm?id=31&page=1

Microsoft's "JPEG Processor" vulnerability manifests itself as a buffer overrun 
in a piece of software.  It is NOT caused by the JPEG file format itself.  
Buffer overruns are extremely common: you'll find them in almost every large 
software application (even antivirus software).  They can create situations 
where even a filename itself can wreak havoc.  By definition, every buffer 
overrun will eventually join its brothers in the land of obscurity.

   Buffer overruns in antivirus software:
      http://zdnet.com.com/2100-11-515441.html

The "Code Red" worms successfully exploited a buffer overrun in 2001, and 
Vmyths believes some reporters will allude to this -- as if to imply a horrific 
JPEG attack may be just around the corner.  Buffer overruns are extremely 
common, yet they only rarely ever get exploited.  Researcher Georgi Guninski, 
for example, publishes "proof of concept" exploits for many of the "critical" 
buffer overruns he finds.  Guninski's exploits have never made a splash despite 
his best efforts.


A little history -- this isn't the first time an image file format has come 
under fire.  An April Fool's joke targeted JPEG files a decade ago:

   1994 April Fool "JPEG virus" alert:
      http://www.2meta.com/april-fools/1994/JPEG-Virus.html

In 2001, researchers claimed a specially crafted GIF file could be used to 
cause a buffer overrun in Microsoft Outlook.  It was purely a coincidence that 
a GIF file could exploit this threat.

In 2002, the "Perrun" virus added software to the computers it infected, then 
it modified the Windows registry so future viruses could "ride" inside a JPEG 
file.  The virus writer could have chosen to do the same thing with GIF files 
or even TEXT files.  Antivirus vendor Sophos urged restraint over the Perrun 
virus, saying "some anti-virus vendors may be tempted to predict the end of the 
world as we know it, or warn of an impending era when all graphic files should 
be treated with suspicion.  Such experts should be ashamed of themselves."

   McAfee gets slapped in 2002 for "JPEG virus" alert:
      http://www.sophos.com/virusinfo/articles/perrun.html


Vmyths suspects a hoax virus alert will arise with instructions to delete the 
JPEG registered file type in Windows.  (It's practically a self-fulfilling 
prophesy.)  Such a hoax will play on the user's misconception of the threat.  
Don't take unsolicited advice from people who are NOT experts.  Users will 
self-damage their operating systems if they delete the JPEG registered file 
type.

   False Authority Syndrome
      http://Vmyths.com/fas/fas1.cfm

Stay calm.  Stay reasoned.  And stay tuned to Vmyths.

Rob Rosenberger, editor
http://Vmyths.com
Rob@Vmyths.com
(319) 646-2800

Acknowledgements:
   Phone call from Kevin Poulsen, SecurityFocus

CATEGORIES: (1) Misconceptions about a real computer security threat
            (2) A historical perspective on recent hysteria

--------------- Useful links ------------------

Common clichés in the antivirus world
http://Vmyths.com/resource.cfm?id=22&page=1

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MinorRev: Microsoft Security Bulletin MS04-027 - Vulnerability in WordPerfect Converter Could Allow Code Execution (884933), Russ Cooper
Next by Date:  MinorRev: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987), Russ Cooper
Previous by Thread:  MinorRev: Microsoft Security Bulletin MS04-027 - Vulnerability in WordPerfect Converter Could Allow Code Execution (884933), Russ Cooper
Next by Thread:  Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability, Shawn Asmus
Indexes:  [Date] [Thread] [Top] [All Lists]