MS04-028 Flaw could lead to .JPG viruses!

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Kevin P
    Member
    • Aug 2000
    • 10809

    MS04-028 Flaw could lead to .JPG viruses!

    Microsoft Security Bulletin MS04-028

    Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

    Proof of concept code has been published. This means that someone with malicious intent will likely use it to create a virus or worm that spreads via .JPG files, probably within the next couple of weeks.

    Many newer versions of Microsoft products are affected: Internet Explorer 6, Windows XP, XP SP1, Windows Server 2003, Office XP and its associated products (Word 2002, Outlook 2002, etc.), Office 2003 and its associated products (Word 2003, etc.), Project 2002/2003, Visio 2002/2003, most newer .NET products, Picture It! 7.0, Greetings 2002, and many more. Read the linked article above for a complete list.

    Most older MS operating systems and products aren't affected, including Windows 2000 and Office 2000.

    Windows XP with Service Pack 2 isn't affected.

    Everyone is urged to run Windows Update as soon as practical. A GDI+ detection tool is available on Windows Update which will tell you if you have any vulnerable products on your system.

    Also, make sure to be running an anti-virus program and keep it up to date. If my prediction comes true, I expect a virus spreading via .JPGs will spread fast and far.
  • Lex
    Moderator Emeritus
    • Apr 2001
    • 27461

    #2
    Holy Pixel Pirating Batman, this sounds frightful. The one thing you could always cound on was that graphics files were clean. Oh sh..

    Would that mean you could get the virus from any jpg that you automatically open on a web site? That's a scary thought that it would automatically be launched in your temporary internet files. :E

    Lex
    Doug
    "I'm out there Jerry, and I'm loving every minute of it!" - Kramer

    Comment

    • Kevin P
      Member
      • Aug 2000
      • 10809

      #3
      Well, legit clean JPGs would still be fine. It's just that someone can use this exploit to embed executable code into a malformed JPG, and mass mail it to a bunch of people, or toss it up on a website and point links to it, and people would get infected by attempting to view or open the image.

      It is scary, which is why I posted this before a virus gets released. If your system is patched, or doesn't contain the vulnerable DLL, you'll be safe even if you do receive an infected jpg.

      Comment

      • Kevin P
        Member
        • Aug 2000
        • 10809

        #4
        Looks like the first malicious exploit for this vulnerability has been discovered: Slashdot article Note that their use of "jpeg virus" is a misnomer since it doesn't spread, so it's more of a "jpeg trojan". If successful it installs remote-admin tools on the infected box.

        I predict we'll see a mass mailer virus within a week, if not sooner. 8O

        Comment

        • Gordon Moore
          Moderator Emeritus
          • Feb 2002
          • 3188

          #5
          The GDI tool on Windows update is only accurate for Win2K and up (XP etc...).

          It will not work for WinNT and others...

          go here to get an updated tool:

          SANS.edu Internet Storm Center. Today's Top Story: From JavaScript to AsyncRAT;
          Sell crazy someplace else, we're all stocked up here.

          Comment

          • Kevin P
            Member
            • Aug 2000
            • 10809

            #6
            This tool, provided by SANS, will scan your system for vulnerable GDI+ DLLs. Since some 3rd-party apps can install vulnerable versions of GDI+, the MS scan tool provided in Windows Update isn't always adequte. Also, installing applications later on can cause vulnerable DLLs to be reinstalled. This tool will check for these DLLs. (I see Gordon posted this link already, I'm just including it here for completeness):

            SANS.edu Internet Storm Center. Today's Top Story: From JavaScript to AsyncRAT;


            If you find vulnerable DLLs included with 3rd-party apps, MS has a generic version of the DLL that can be used in their place (in many cases):

            download, software, update, Microsoft, product, computer, PC, Windows, Office, server, MSN, Live, game, Xbox, security, driver, install, trial, preview, demo, popular


            Here's a tool you can use to scan your drive(s) or servers for infected JPEGs.



            BTW, when I scanned my system using the SANS tool, I found my copy of Paint Shop Pro 9 had a vulnerable gdiplus.dll. So that's one application we should watch for, make sure to use the SANS tool if you have PSP on your system.

            Comment

            • Lex
              Moderator Emeritus
              • Apr 2001
              • 27461

              #7
              This just in, new MyDoom virus is accessible via link, instead of attachment. You click the link, when you go to that server, it infects your machine.

              So, it's not an attachment, it's not an image, but a link.

              Reported Paypal message involved. Telling you your card charged, and item ships soon... etc... Then it wants you to go to link to see transaction. NO NO NO! Don't do it.

              Lex
              Doug
              "I'm out there Jerry, and I'm loving every minute of it!" - Kramer

              Comment

              • Lex
                Moderator Emeritus
                • Apr 2001
                • 27461

                #8
                oh, so this may not be a product of the same hole in MS, but it does create a major problem anyway and since this is sort of a new way to become infected, it deserves attention here.
                Doug
                "I'm out there Jerry, and I'm loving every minute of it!" - Kramer

                Comment

                Working...
                😀
                😂
                🥰
                😘
                🤢
                😎
                😞
                😡
                👍
                👎
                Searching...Please wait.
                An unexpected error was returned: 'Your submission could not be processed because you have logged in since the previous page was loaded.

                Please push the back button and reload the previous window.'
                An unexpected error was returned: 'Your submission could not be processed because the token has expired.

                Please push the back button and reload the previous window.'
                An internal error has occurred and the module cannot be displayed.
                There are no results that meet this criteria.
                Search Result for "|||"