Folks, there's a potentially
very nasty problem (http://www.securityfocus.com/advisories/7211) with the way in which Windows displays jpeg images, which means that a machine could be vulnerable when viewing images on the web or when your e-mail program displays images contained in messages. As far as I know the problem is a proof of concept, but it's a fair bet that someone will find a use for it soon.

The most common software to be affected is Windows XP (with or without Service Pack 1), Internet Explorer 6 SP1 and Office XP SP3 or 2003. If you run any of these, you should take a look at

Microsoft advice on jpg vulnerability (http://www.microsoft.com/security/bulletins/200409_jpeg.mspx)

It also affects many other Microsoft products, such as Publisher, Visio, Visual C++ etc. so if you run other Microsoft software you should check the full list here (http://securityresponse.symantec.com/avcenter/security/Content/11173.html).

Windows XP SP2 is not affected; however, it is possible to have multiple versions of the vulnerable library, so I think all affected products need to be patched individually (i.e. Windows XP SP2 users do still need to update Office). The MS link should provide the info you need.

Hiya Evo,

Great link, thank you. SP2 OK but the old office 2003 needed upgrading.

Cheers


Mike

EVO - may I recommend this as a sticky for a few weeks?

FJJP

From Slashdot... http://it.slashdot.org/article.pl?sid=04/09/27/1649256&tid=172&tid=128&tid=109&tid=1

"Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."

Open letter at http://isc.sans.org/diary.php?date=2004-09-26

Download GDISCAN at http://isc.sans.org/gdiscan.php

NOTE: In the results - "Ignore files in directories like Windows\$NtUniinstallKBxxxxx\ and Windows\WinSxS. These are old versions left behind for uninstall purposes."

All clear this end.

As expected, this is now active and in the wild - and it seems rather nasty (www.easynews.com/virus.html) too. It's making an appearance via a spam email directing you to a website for 'more information'.

As for the slashdot story, good tool maybe - but what an awful 'open letter'! Including an irrelevant story about your childhood that comprises half the letter seems guaranteed to make Microsoft ignore it...

edit: actually, it is a very useful tool. Despite doing everything that Microsoft said,

Scanning Drive C:...

<snip>

C:\Program Files\Mindjet\MindManager 5\sys\shell\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Mindjet\MindManager 5\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Mindjet\MindManager 5 Viewer\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
<snip>

Scan Complete.


Now it's much less likely that i'll open a vulnerable jpeg with MindManager than with Internet Explorer, but, still, it's nice to be watertight when possible.

Oh b*gger, there's more on another computer. Anybody have any idea what these two are?

C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\I386\SXS.DLL
Version: 5.1.2600.1106 <-- Vulnerable version