Posted on 09/22/2004 9:16:18 PM PDT by Eagle9
One of the standard security tactics enterprises apply won't work when defending PCs against threats posed by the image processing flaw found last week in Windows and numerous applications, security experts said Tuesday.
The JPEG bug in Windows XP and Windows Server 2003, as well as in a host of both Microsoft and non-Microsoft applications, can't be defended by blocking JPEG images at the gateway, said John Pescatore, vice president of Gartner's Internet security group.
"You can't simply block against this threat by file extension," said Pescatore, "since hackers could simply rename the file type and Windows would still process it as a JPEG. You'd pretty much have to block not only every image, but every file attachment to make this work. And you can't block everything."
The vulnerability's most likely avenue of exploit, experts said last week, is through delivering specially-crafted JPEG image files via e-mail. Users who open the attachments could put their computer at risk of hacker hijack.
Marcus Sachs of the Internet Storm Center seconded the motion. "If you decide to block JPEG attachments in e-mail, then you also need to consider blocking instant messaging, P2P, Web surfing, and 'allowed' attachments that could contain images, such as Microsoft Office applications," he wrote in an online advisory. "While it sounds like a easy quick-fix, blocking JPEG attachments is the wrong way to attack this problem. Save your energy for security battles that are more worthwhile."
Instead, patch the operating system and the vulnerable Microsoft applications, particularly Office, as quickly as possible, urged Pescatore.
"Take away the browser and the [Outlook] e-mail client [from hacker exploit] and you've made it a whole lot harder for them," he said.
Most of Gartner's enterprise clients, said Pescatore, are feeding the Windows and Office fixes directly into their standard update and patching mechanisms, then waiting for other third-party vendors whose products may be vulnerable to announce fixes.
Fast patching is the best defense against the bug, agreed Ken Dunham, director of malicious code research at security intelligence provider iDefense. "Every day that goes by without a remote code execution exploit lowers the threat level for this vulnerability," he said.
Both Pescatore and Dunham noted that although proof-of-concept code has been circulating since last week, it's of minimal value to hackers, since all it can do is crash the targeted computer. "It's harder to create an exploit that lets an attacker run arbitrary code on the compromised machine," Dunham said.
"We don't consider this highly 'wormable," added Pescatore.
That could change, of course, if code was created and shared within the hacker underground which could allow for code to be run on the target PC to, for instance, download a Trojan backdoor or install a keylogger.
Pescatore and Dunham separately brought up the example of 2003's big-deal Slammer worm as one that took advantage of a similarly-widespread vulnerability. "One of the reasons why Slammer spread so fast," said Pescatore, "is that the vulnerable component was included in so many products, 97 by Microsoft's count. Not only do enterprises have to patch the operating system against the JPEG vulnerability, but they have to patch Microsoft products and third party products. That's what really screws it up."
"This reminds me of the Slammer situation," said Dunham. "Not in the severity of the threat, but that this JPEG vulnerability, like the SQL vulnerability, creates a complicated patch issue and so is something that will remain vulnerable for an extended period of time."
Both Pescatore and Dunham noted that although proof-of-concept code has been circulating since last week, it's of minimal value to hackers, since all it can do is crash the targeted computer. "It's harder to create an exploit that lets an attacker run arbitrary code on the compromised machine," Dunham said. "We don't consider this highly 'wormable," added Pescatore.The exploit code to run whatever you want on a target system is already making the rounds.
And, of course, Microsoft could have proactively mitigated some of the threat years ago if they had followed their own standards (extensions determine filetype), or standards that everybody else follows like adhering to mime-types.
And, of course, Microsoft could have proactively mitigated some of the threat years ago if they had followed their own standards (extensions determine filetype), or standards that everybody else follows like adhering to mime-types.
Actually, I don't use Outlook and I use Firefox (download for free from mozilla.org) as my web brower, so I am not concerned at all.
"The exploit code to run whatever you want on a target system is already making the rounds."
OUCH- that's gotta hurt!
Just glad I switched to mac last year.
Its all hysteria over nothing. I have yet to see a compromised computer with this vulnerability especially when safe computing is practiced. You do have SP2 AND a decent firewall installed AND you do download only from trusted sites? 'Nuff said.
Ahhhh. You're the one.
There are similar flaws in .PNG files that Microsoft has not addressed yet. All your patches, firewalls, and anti-virus software would not stop an attacker from posting an exploit .PNG in this forum right now and taking over your system.
Not the only one ;)
Does Mozilla use MS's built-in image-decoding routines, or does it use its own?
It uses its own JPEG library, separate from Microsoft's.
It uses its own JPEG library, separate from Microsoft's.
OK, darnit. Free Republic seems to have a delay now from when you submit a comment and it shows up in the forum. I keep thinking I must have only previewed a comment and not posted it so I repost it again.
OK, Mr. Rather -- did you get that from JR's 86 year old grandmother? Or maybe from the grassy knoll where he delay equipment is set up?
There is a 527 working here. The 1st step -- slow down FR!!
Or you could stop putting up with this garbage and get a Mac. Imagine how much time and worry you will save knowing your computer isn't the target of some teenager in Bulgaria. No spyware, no e-mail viruses, no trojans and no pictures ruining your computer. Instead of wasting your time constantly fixing Windows you could doing something productive like wasting time of FR.
marker
I don't know.
There are similar flaws in .PNG files that Microsoft has not addressed yet. All your patches, firewalls, and anti-virus software would not stop an attacker from posting an exploit .PNG in this forum right now and taking over your system.
Here's a .png file.
Anyone interested in getting Firefox should click on this image.
Been converting more co-workers every day. Now that the latest version does NTLM authentication, it does absolutely everything that I need.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.