Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security NTBugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulne

from [Mike Hays] Network Security [Permanent Link]
Subject: Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulne
Date: Thu, 16 Sep 2004 13:27:38 -0400 
While I applaud your efforts at encouraging everyone to remain calm
regarding the GDI+ vulnerability, and I am especially thankful that you
clarified that the problem is with GDI+ and _not_ with JPEG, I have problems
with one of your suggestions:

"Vmyths urges you to download the patch, install it, and get on with your
life."

The problem is that there is no single patch for this vulnerability.  That
makes it difficult for companies to implement the patch and audit for
compliance (not to mention the home user).  That in turn makes this
vulnerability potentially valuable as an attack vector.  It may not even
make a huge splash at the onset, but it could be around for a while, and a
malicious user could see that as an opportunity.

So, while the sky isn't falling, I think Microsoft did a poor job on the
release of this security bulletin.  I think they need to do the following to
correct this:

*There needs to be a Microsoft tool that really detects and reports on the
presence of the vulnerability, the vulnerable application when it can, and
the path to the DLL in third party application program folders when it can't
(it would be nice if it could run remotely and from a command line, but even
a interactive version would be helpful)

*Microsoft should release a single patch that corrects all vulnerable
Microsoft applications at once (and it should not be buried in service packs
that require additional testing before deployment)

*A knowledge base article should also be set up to list third party
applications that are independently susceptible to this problem with links
to the vendor's site for a patch or corrected version of the application.
(The web page for this article should be referenced by the detection tool if
it finds third party vulnerable applications)

As this is a critical vulnerability, and Microsoft deems it as suchl, they
need to invest the resources in making it as easy as possible to correct the
issue upfront.  Otherwise we could end up with another SQL Slammer.

Sincerely,
Mike Hays CISSP
cpunews@hotmail.com

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such 
that just hitting reply is going to result in the message coming to the list, 
not to the individual who sent the message. This was done to help reduce the 
number of Out of Office messages posters received. So if you want to send a 
reply just to the poster, you'll have to copy their email address out of the 
message and place it in your TO: field.
-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulne, Mike Hays <=
Previous by Date:  Resolution re: SUS server fails to synchronize with Windows Update servers, Joe Dance
Next by Date:  Windows Update / Office Update again!, Fish
Previous by Thread:  Resolution re: SUS server fails to synchronize with Windows Update servers, Joe Dance
Next by Thread:  Windows Update / Office Update again!, Fish
Indexes:  [Date] [Thread] [Top] [All Lists]