Microsoft published a patch for a major security flaw in its software’s handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable. Users who have installed SP2 are not vulnerable to the flaw.
Major JPEG graphics flaw threatens Windows PCs
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
How can anyone possible feel safe on a windows PC these days? This is the most rediculus thing I’ve heard in a long time. Simply viewing a JPEG, one of the most common image formats known to man is now dangeous. What’s next, a virus that any windows user will automatically get if logging in while on a lan? Honestly. Mabe Microsoft should put a little less cash in marketing and the R&D for the toilet PC and start doing a little *ghasp* quality control?
Just viewing a damn jpeg can get you now? Wow.
How do mozilla based browsers handle jpegs? Does anyone now if they are vulnerable?
I don’t need something too indepth, but could someone just briefly explain how code could execute from reading an image file. This also applies to the PNG bug they mention whcih affected linux, windows, OS X…
I don’t know much about these files, so I make few assumptions.
1. These files don’t include any ‘code’ that would normally be executed. They graphic files, they have to be portable.
2. Is it similar to a buffer overflow type thing, where there is a wrong length index somewhere, which causes the buffer to overflow. When the exception is raised, the pc address is somewhere in the jpeg file?
Thanks
I have the feeling firefox is not vulnerable. Its just a hunch though, as I have had firefox ‘reject’ certain images on sites. It does not display them. I’ve been told its because these jpegs are badly formed. IE displays them fine, which makes me guess that firefox is doing some extra checking vor the validity of the JPEG.
Just viewing a damn jpeg can get you now? Wow.
Seems like its really hard to write a secure image library these days. This isn’t the first story about the potential for maliciously crafted image files to become security risks.
The open source libpng, libjpeg, and I believe libtiff have had similar problems.
Why is this the case, that image libraries have so many serious security flaws? Is it due to overzealous optimizations that overlook security or the increased usage of loops and array-based buffers in the source code?
In the article, it states that XP service pack 2 is not vulnerable. This suggests that the issue has been addressed, at least for the XP users. Is it not reasonable that MS ask XP users to install SP2?
Having said that, MS should release a fix for pre-XP OSes. The way this was anounced almost makes it seem like an attempt by MS to use SP2 to sell XP. I can almost hear them saying, ‘If you had listened to us and upgraded to XP, you would be safe now.’ I just install Firefox to feel safe, this may not be perfect but it works in this case.
The trouble is that SP2 breaks things, hardly an encouragement to install it.
I’d guess that the buffer overflow protection in SP2 stops this, though that’s hiding the problem rather than fixing it. (There is still a buffer overflow…)
Also, the article says…
“Windows XP Service Pack 2 (SP2) is not affected by this issue. Windows XP SP2 users only need to update Office (if installed).”
So why do you need to download a patched version of Office if SP2 is unaffected?
I think by XP SP2, they’re talking about everything in the ‘OS’ itself. This includes IE. These all include the fix.
Office is still its own application and may not use the same image processing libs as the rest of XP. So it would need its own fix. Similarily, any application would.
Windows XP, service pack 2 is not vulnerable, but if you run any of the other affected Microsoft packages, you would be. Firefox is likely not vulnerable, but one can’t say for sure based on the information given out. The Microsoft bulletin can be found here:
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
A big concern is that one does not know the status of Windows 2000, I.E. 5.x, Office 2000, or any of the earlier versions of the many programs listed. One can take steps to minimize exposure, however: The most likely attack vector would be via the Web and via e-mail. Use something other than Internet Explorer, Outlook, or Outlook Express for your Internet needs. Be very careful opening Word, Excel, or Powerpoint files e-mailed to you in Microsoft Office. Use Open Office, or Word Perfect instead.
Finally, this one is a real mess. It affects multiple programs, and Microsoft has no centralized method of pushing out security updates and bug fixes. This one will be troubling us for years.
So why do you need to download a patched version of Office if SP2 is unaffected?
Presumably because the same code is duplicated in Office.
As best I understand it this is what happens:
When loading or processing the data the program writes to a memory location outside of where it’s supposed to. This interferes with a known chunk of memory in the program (a stack part, not heap). The changes made to the programs stack cause it to exhibit totally different behavior.
I’m sure I butchered that, so maybe someone else can explain it better.
I consider vulnerabilities like these symptomatic of problems with the x86 and older CPU architectures and their lack of granular (i.e. per page) access controls on various operations. All of these vulnerabilities stem from the fact that the pages the stack and heap are stored in are executable.
Both Opteron and Prescott P4s/Nocona Xeons now implement the AMD64 instruction set which contains an “NX bit” which will ensure the CPU’s instruction pointer cannot point within these pages unless the program has explicitly allowed it (e.g. for JIT compilers)
actually, many earlier windows vulns are exactly like that; you can be compromised simply by connecting an unpatched Windows PC to the internet and performing absolutely no action. Although, to be fair, this would apply to other OSes too – if you installed a year-old Linux system on a box and did nothing at all it could probably be compromised too. This has been tested several times in the past just by connecting unpatched boxes to the internet unprotected and monitoring malicious activity; I believe in one study the machines (Windows 2000 boxes I think) were compromised, on average, in 20-30 minutes.
That’s what I put it down to.
Have they never heard of std::vector?
And don’t try to tell me that it isn’t fast enough. CPU’s are rarely the bottleneck these days. I underclocked mine from 2.4GHz to 1.5GHz and noticed little difference.
Any possible speed improvement by using raw arrays and char*’s is far outweighed by the security risks.
The same applies for segfaults. It’s not too hard to wrap them in safe classes, and if you must pass them around is it too much to ask to check for null?
I worked for two different corporation in 2001 and they both had problems with such viruses… I get about 1000 requests to port 135, 139 and 445 on my Linux firewall per day.
A year-old Linux system could be compromised but not just by connecting it on a network like a Windows machine. To my knowledge, there are not thousands of Linux worms scourging the net in search of a potential victim.
Linux has its’ own graphic related problems. OS X for that matter. This is old news.
http://news.com.com/Image+flaw+pierces+PC+security/2100-1002_3-5298…
with regard to the side-track of even turning on your computer while it is connected to the internet.
To this day if you set up a new Windows XP SP1 on a new system that is connected directly to the internet via lan and it will more than likely be infected with a variation of the infamous blaster worm before you can even boot, pop in a cd with a firewall on it, and install it. I’ve had to keep patches on a seperate cd and not connect the computer to the internet until I have all patches, a firewall, and antivirus installed on the system.
After the bmp vulnerability not long ago… I can’t be too surprised about JPG, but it’s disturbing.
“Linux has its’ own graphic related problems. OS X for that matter. This is old news.”
Watch out! Here come the rationalizations.
Is it not reasonable that MS ask XP users to install SP2?>>
Is it reasonable for MS to realease a service pack that they *know* will break a lot of compatiblities? A service pack that they *tell* people will break compatabilities?
So imagine that you’re IT staff for a large deployment of XP workstations, with multiple software packages on them. What do you tell the workers to do?
What if your workers interact with several on-line databases that will only work with IE?
(Frankly, the amount of kruft in IE and XP is probably the best thing that ever happened for Linux and Mac OS X. And this is what part of their next wave of marketing needs to focus on.)
Users who have installed SP2 are not vulnerable to the flaw
SP2 of what? XP, 2000, 98, ME, Office, Visual Studio…? Or is there just one SP2 for all Microsoft products?
XP, nothing else
jpeg patch is separate
A detailed list of affected products can be found here:
http://www.heise.de/newsticker/meldung/51070
I consider vulnerabilities like these symptomatic of problems with the x86 and older CPU architectures and their lack of granular (i.e. per page) access controls on various operations. All of these vulnerabilities stem from the fact that the pages the stack and heap are stored in are executable.
No. It might be an oversight in the architecture not to have a page executable bit, but it’s perfectly possible to place stack and heap pages in a non-executable segment. Fact of the matter is that practically every x86 OS ignores this mechanism because it breaks current C compilers and is slightly more resource intensive. The compiler/OS developers have to take some of the blame here for deliberately not using the protection mechanisms the CPU provides.
If you could make a trip 5% faster by not wearing your seatbelt, and you choose to take that 5%, then is it really the car manufacturer’s fault if you don’t wear it even though one is provided? No, it isn’t.
“To this day if you set up a new Windows XP SP1 on a new system that is connected directly to the internet via lan and it will more than likely be infected with a variation of the infamous blaster worm before you can even boot, pop in a cd with a firewall on it, and install it. I’ve had to keep patches on a seperate cd and not connect the computer to the internet until I have all patches, a firewall, and antivirus installed on the system.”
windows xp has had a firewall since day one. “pop in a cd with a firewall on it” is not needed. it was not turned on by default is all.
all you have to do is turn it on.
when mac os x shipped originally its firewall was not on by default either.
neither windows or the mac os even had firewalls as part of the os before that.
” The trouble is that SP2 breaks things, hardly an encouragement to install it. ”
XP breaks a few things. I have installed it on 3 Home PC’s with no problem and 275 Windows systems at work and it has worked flawlessly. It all depends on what apps you use. I feel that some of these “warnings” are somewhat overzealous. I know more business owners and users that have upgraded to SP2 with no problems than those that have problems.
The Raven:
“Linux has its’ own graphic related problems. OS X for that matter. This is old news.”
Watch out! Here come the rationalizations.
Me:
Is an irrational conversation a better alternative?
But since SP2 does not work with the firewall and antivirus software we have here at work I can’t install it. This risks of being internet connected without a good firewall when you run Windows is simply to large compared to this currently unexploited hole.
Have they never heard of std::vector?
And don’t try to tell me that it isn’t fast enough. CPU’s are rarely the bottleneck these days. I underclocked mine from 2.4GHz to 1.5GHz and noticed little difference.
Any possible speed improvement by using raw arrays and char*’s is far outweighed by the security risks.
The same applies for segfaults. It’s not too hard to wrap them in safe classes, and if you must pass them around is it too much to ask to check for null?
For most cases, you would be right. However, things like libpng and libjpeg are written in C and not C++ (for good reason) and have been around for ages – way before the “performance is not an issue” mindset.
Microsoft has know of this exploit for sometime and choose now to release their standard “well timed” alert so that users will be more likely to install SP2, that is to say… the users who don’t know any better.
By the way, if you think you may be “one of these users”, you should know that microsoft patches open more holes than they fix.
So, either hide behind a good firewall and never use any Microsoft mail clients, instant messangers, web browsers, networking or internet clients of any kind, or…
Install BSD, Linux, OSX, or whatever UNIX flavor you want…
For most cases, you would be right. However, things like libpng and libjpeg are written in C and not C++ (for good reason) and have been around for ages – way before the “performance is not an issue” mindset.
I thought someone might say this. It would seem that C is destined to be insecure. The only valid reason I can think of is that they might be used in places where libstdc++ isn’t available. I don’t see why they shouldn’t be (re)written using C++ though (just using char* instead of std::string if required). I would do that if I had the time (how big is libjpg?).
The only valid reason I can think of is that they might be used in places where libstdc++ isn’t available. I don’t see why they shouldn’t be (re)written using C++ though (just using char* instead of std::string if required). I would do that if I had the time (how big is libjpg?).
Rewriting, in any language, will introduce new bugs. Perhaps it will get rid of a buffer overflow exploit which had gone unnoticed for a long time, but the functionality of the numerous libraries out there has been time-tested.