Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   beware jpeg (https://forum.exetools.com/showthread.php?t=5408)

lhrt 09-17-2004 22:10

beware jpeg
here is some info from securityfocus.
Microsoft warns of poisoned picture peril

By Kevin Poulsen, SecurityFocus Sep 14 2004 5:54PM
The old bromide that promises you can't get a computer virus by looking at an image file crumbled a bit further Tuesday when Microsoft announced a critical vulnerability in its software's handling of the ubiquitous JPEG graphics format.

The security hole is a buffer overflow that potentially allows an attacker to craft a special JPEG file that would take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs. The poisoned picture could be displayed on a website, sent in e-mail, or circulated on a P2P network.

Windows XP, Windows Server 2003 and Office XP are vulnerable. Older versions of Windows are also at risk if the user has installed any of a dozen other Microsoft applications that use the same flawed code, the company said in its advisory. The newly-released Windows XP Service Pack 2 does not contain the hole, but vulnerable versions of Office running atop it can still be attacked if left unpatched. Patches are available from Microsoft's website.

The company said it's not aware of the hole being publicly exploited in the wild, and has not seen any examples of proof of concept code.

The JPEG bug rounds out a growing menagerie of vulnerabilities in code that displays image files. Mozilla developers last month patched the open-source browser against a critical hole discovered in a widely-deployed library for processing P
NG images. And last July, Microsoft simultaneously fixed two image display holes in Internet Explorer: one made users potentially vulnerable to maliciously-crafted BMP images, the second to corrupt GIF files. The GIF bug had been publicly disclosed 11 months earlier.

There was a time when the idea of a malicious image file was absurd enough to be the topic of an April Fools joke. One early and widely-circulated hoax message dating from 1994 warned users of a computer virus infecting the comment field of JPEG files.

"It was someone saying that just looking at a JPEG on your screen can get you a virus," recalls Rob Rosenberg, editor of the debunking site Vmyths.com. "In '94 it was a myth, but in '04 it's the real thing... We've got the JPEG of death now."
does anybody know hows its made? is that a bufferoverflow??

the bug is in all NT 2000 and xp boxs expt xpsp2.
are avs picking those?

there is a patch avilable for the exploit in the microsoft site so if u got the patch no more worries abt jpeg

badminton 09-18-2004 01:55

Do you know which image viewers are affected? I can't finda any website that lists them. All that said is that Windows XP is infected. Are image viewers such as ACDSEE, Microsoft Picture Viewer, etc affected?

zdensys 09-18-2004 02:01

Visit the link below for the list of affected program.
It's advisable to run both WU and OU to patch this.



€XC€PTiON™ 09-18-2004 02:53

This has to one of the worst Windows Update "experiences". Unlike other updates, which clearly confirm that you are updated or not.

This one requires you to first install an ActiveX control under the premise that it will scan your system for affected graphics programs.

After installing the control, all you get is a message to go back to windows update.

I'm a little puzzled, does this control do anything about the other programs that may be affected by the vulnerability or not? :confused:

tbone 09-18-2004 05:29

I went in circles for a while with this one, too. Apparently, this bug is present in multiple Microsoft products. The GDI+ library has it, but only for Windows XP and server 2003, as well the version that comes with the SDK. However, most newer versions of Office as well as IE6 and the .NET framework contain the bug, too. So pretty much any Windows system will have this *somewhere*.

The only place I could actually find downloadable updates to patch this was from the corresponding technet article:


The detection tool on WU doesn't appear to damn thing except point you to their web site without so much as telling you which components it found on your system, so you'll just have to figure that part out yourself. I'm assuming that each one needs to be updated.

Seventh 09-27-2004 00:38


Proof of concept exploit for the recent JPEG buffer overrun vulnerability that crashes any Windows XP system that has not been patched for this flaw.
The JPEG file above crashed my "Windows Picture and Fax Viewer" on my XP box w/o SPx and explorer restarted. but it didnt crashed my IE6.


Proof of concept local exploit that creates a JPEG image to test for the buffer overrun vulnerability discovered under Microsoft Windows. Shellcode and valid addresses have been removed.

archaios 09-28-2004 17:07

JPEG buffer overflow?
This is a prime example of why the whole development methodology in use by Microsoft must be questioned. The existence of an (extremely simplistic) buffer overflow due to a patent lack of bounds checking is an appalling reflection on this software monolith. The aptitude of their QA team resounds hollowly in my mind...


amnesia 09-28-2004 22:52


Might be interesting to work on the jpeg specimen. POC included in the link as well.

pll823 10-01-2004 17:59

my computer has infected with this virus,all Documents has been gone

Kameo 10-01-2004 18:55


Originally Posted by pll823
my computer has infected with this virus,all Documents has been gone

:eek: :eek: :eek: :eek:

For real ?!?
Where did you get the virus from ??? I bet that's too early for virus writers to use this exploit !
I bet all antivirus company, have to scan jpeg files as well now, heuristic or not, i guess that for a moment, it's gonna be a real mess before it all calms down !

All times are GMT +8. The time now is 07:49.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX