Important: Windows JPEG vulnerability (merged)
Thread Starter
Join Date: Sep 2002
Location: Chichester, UK
Posts: 1,650
Likes: 0
Received 0 Likes
on
0 Posts
Important: Windows JPEG vulnerability (merged)
Folks, there's a potentially
very nasty problem with the way in which Windows displays jpeg images, which means that a machine could be vulnerable when viewing images on the web or when your e-mail program displays images contained in messages. As far as I know the problem is a proof of concept, but it's a fair bet that someone will find a use for it soon.
The most common software to be affected is Windows XP (with or without Service Pack 1), Internet Explorer 6 SP1 and Office XP SP3 or 2003. If you run any of these, you should take a look at
Microsoft advice on jpg vulnerability
It also affects many other Microsoft products, such as Publisher, Visio, Visual C++ etc. so if you run other Microsoft software you should check the full list here.
Windows XP SP2 is not affected; however, it is possible to have multiple versions of the vulnerable library, so I think all affected products need to be patched individually (i.e. Windows XP SP2 users do still need to update Office). The MS link should provide the info you need.
very nasty problem with the way in which Windows displays jpeg images, which means that a machine could be vulnerable when viewing images on the web or when your e-mail program displays images contained in messages. As far as I know the problem is a proof of concept, but it's a fair bet that someone will find a use for it soon.
The most common software to be affected is Windows XP (with or without Service Pack 1), Internet Explorer 6 SP1 and Office XP SP3 or 2003. If you run any of these, you should take a look at
Microsoft advice on jpg vulnerability
It also affects many other Microsoft products, such as Publisher, Visio, Visual C++ etc. so if you run other Microsoft software you should check the full list here.
Windows XP SP2 is not affected; however, it is possible to have multiple versions of the vulnerable library, so I think all affected products need to be patched individually (i.e. Windows XP SP2 users do still need to update Office). The MS link should provide the info you need.
Last edited by Evo; 28th Sep 2004 at 06:29.
Plastic PPRuNer
Important: Windows JPEG vulnerability (merged)
From Slashdot... http://it.slashdot.org/article.pl?si...&tid=109&tid=1
"Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
Open letter at http://isc.sans.org/diary.php?date=2004-09-26
Download GDISCAN at http://isc.sans.org/gdiscan.php
NOTE: In the results - "Ignore files in directories like Windows\$NtUniinstallKBxxxxx\ and Windows\WinSxS. These are old versions left behind for uninstall purposes."
All clear this end.
"Tom Liston, the guy that brought us the LaBrea Tarpit, wrote an open letter to Microsoft regarding the GDI JPEG vulnerability, and Microsoft's scanning tool for this vulnerability, which he calls 'worse then useless'. Tom, who wrote his own scanning tool, ends his letter with 'Please stop treating your customers like idiots and give us information; information that we can use.' Like Tom explains, the official Microsoft scanning tool misses a lot of vulnerable DLL's installed by third parties, and Microsoft fails to explain if these libraries are a problem or not."
Open letter at http://isc.sans.org/diary.php?date=2004-09-26
Download GDISCAN at http://isc.sans.org/gdiscan.php
NOTE: In the results - "Ignore files in directories like Windows\$NtUniinstallKBxxxxx\ and Windows\WinSxS. These are old versions left behind for uninstall purposes."
All clear this end.
Last edited by Evo; 28th Sep 2004 at 06:30.
Thread Starter
Join Date: Sep 2002
Location: Chichester, UK
Posts: 1,650
Likes: 0
Received 0 Likes
on
0 Posts
As expected, this is now active and in the wild - and it seems rather nasty too. It's making an appearance via a spam email directing you to a website for 'more information'.
As for the slashdot story, good tool maybe - but what an awful 'open letter'! Including an irrelevant story about your childhood that comprises half the letter seems guaranteed to make Microsoft ignore it...
edit: actually, it is a very useful tool. Despite doing everything that Microsoft said,
Now it's much less likely that i'll open a vulnerable jpeg with MindManager than with Internet Explorer, but, still, it's nice to be watertight when possible.
Oh b*gger, there's more on another computer. Anybody have any idea what these two are?
As for the slashdot story, good tool maybe - but what an awful 'open letter'! Including an irrelevant story about your childhood that comprises half the letter seems guaranteed to make Microsoft ignore it...
edit: actually, it is a very useful tool. Despite doing everything that Microsoft said,
Scanning Drive C:...
<snip>
C:\Program Files\Mindjet\MindManager 5\sys\shell\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Mindjet\MindManager 5\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Mindjet\MindManager 5 Viewer\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
<snip>
Scan Complete.
<snip>
C:\Program Files\Mindjet\MindManager 5\sys\shell\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Mindjet\MindManager 5\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Mindjet\MindManager 5 Viewer\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
<snip>
Scan Complete.
Oh b*gger, there's more on another computer. Anybody have any idea what these two are?
C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL
Version: 5.1.3097.0 <-- Vulnerable version
C:\I386\SXS.DLL
Version: 5.1.2600.1106 <-- Vulnerable version
Version: 5.1.3097.0 <-- Vulnerable version
C:\I386\SXS.DLL
Version: 5.1.2600.1106 <-- Vulnerable version
Last edited by Evo; 28th Sep 2004 at 07:57.
