Finjan Software has exposed a new dangerous exploit that significantly increases the damage potential of the so-called "JPEG vulnerability" which was published by Microsoft on September 16, 2004 (Microsoft’s security bulletin MS04-028 (http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
)).
An attacker can remotely take over a user’s PC by simply having the user browse a web page that contains a malformed image file using Internet Explorer. The previous vulnerability did not expose Internet Explorer to this attack.
As previously reported, Microsoft’s GDI+ JPEG decoder DLL file (gdiplus.dll) contains a vulnerability that allows an attacker to execute arbitrary code remotely on Windows operating systems. In order to be attacked though the user had to obtain the contaminated image file by means of Email, or to otherwise save it to the local disk, and then view the image by one of the vulnerable Microsoft software products.
In other words, the previous vulnerability required some degree of "social engineering" to make the user perform an operation which triggers the attack. Conversely, this new vulnerability affects any Internet Explorer user who merely browses a malicious page.
Note that this same vulnerability affects JPEG image files even if they have been renamed with the following file extensions: .bmp
.dib
.emf
.gif
.ico
.jfif
.jpe
.jpeg
.jpg
.png
.rle
.tif
.tiff
.wmfMore info: http://www.finjan.com/SecurityLab/AttackAndExploitReports/alert_show.asp?attack_release_id=111
http://www.finjan.com/SecurityLab/AttackAndExploitReports/jpeg_vulnerability_demo.htm
http://www.prnewswire.com/cgi-bin/stories.pl?ACCT=109&STORY=/www/story/09-29-2004/0002260826&EDATE=
104456
September 29th, 2004, 06:48 AM
Makes one wonder if it would be better for MS not to tell people what the patches are for in the first place to help prevent after patch exploits.
Vernon Frazee
September 29th, 2004, 09:34 AM
True, but I doubt they'd get away with it for long. :)
Vernon Frazee
September 29th, 2004, 09:59 AM
Source, vnunet.com: First sign of malicious code exploiting Windows Jpeg security flaw (http://www.vnunet.com/news/1158423)Online newsgroups have found infection in pictures posted for download
Sarah Arnott, Computing 29 Sep 2004
The first malicious codes to exploit security flaws in Microsoft Windows' handling of jpeg image files has appeared on internet newsgroups.
The trojan is embedded in Jpegs that, once downloaded and viewed, allow hackers to gain control of the user's PC.
Microsoft acknowledged the vulnerability and issued a security patch earlier this month but at the time no viruses exploiting the flaw had been seen.
Online newsgroup access provider Easynews found the trojan code in pictures posted to its site earlier this week.
The current situation poses little risk of a major virus attack because the code cannot replicate itself and spread.
But a more serious way to exploit the flaw has also been posted on Bugtraq, a site that tracks and reports flaws in major software products. According to security software provider Finjan, the new method would allow the hacker to take over an end user's PC simply by having them browse a web page that contains the malformed image file using Internet Explorer.
patweb
September 29th, 2004, 10:07 AM
:RANT ON:
This is rediculous. XP was BILLED (BY BILL) as being the most secure version of WinBLOW's ever, was it not?
It is absolutely CRIMINAL that an out of the box brand new computer is capable of being DISABLED within a minute of being connected to a network.
People are buying new PC's to 'fix' these innocuous problems in droves. I think this is more about PLANNED OBSOLESENCE than responsible engineering. Just about every MS OS was eventually 'patched' into oblivious use.
The new SP2 is turning good computers into DOGS that take longer to boot and run slower.
It is time for SOMEONE to build an OS from the ground up that has real scrupples (MS products are just repackaged IBM goods :) ).
MS shouldn't be praised for advancing the computer industry, it should be sued for all the damage it has caused.
:RANT OFF:
patweb
September 29th, 2004, 10:27 AM
Gates takes wraps off Windows XP
Published: October 25, 2001, 9:25 AM PDT
By Jim Hu and Mike Ricciuti
Staff Writer
update NEW YORK--Microsoft on Thursday officially launched Windows XP, the newest version of its operating system and what could be the company's most important product in more than six years.
The long-anticipated operating system, which Microsoft says improves performance, reliability and ease of use, is available at retail as of Thursday.
Microsoft ushered in Windows XP with a lavish extravaganza in New York. Microsoft, chipmaker Intel and PC makers are expected to spend a combined total of more than $1 billion on marketing for Windows XP.
Chairman and Chief Software Architect Bill Gates, accompanied by PC industry executives and New York Mayor Rudolph Giuliani, announced Windows XP at Times Square's Marriott Marquis Theatre.
"Today is a great day for PC users and a great day for the PC industry," Gates said. "There's only one place to launch Windows XP, and that's right here in the heart of New York City," said Gates. Referring to the terrorist attacks of Sept. 11, Gates said: "New York is back and open for business."
Giuliani said: "I want to thank Bill for doing this launch in New York City. It shows a tremendous amount of confidence in the city of New York."
Former New York City Mayor Ed Koch, television personality Regis Philbin, Starbucks Chairman Howard Schultz, and Intel Chief Executive Craig Barrett took part in the launch. Microsoft also hired musician Sting to play a midday concert in New York's Bryant Park.
Microsoft has a lot riding on XP's success: The operating system ushers in new features tied to Microsoft's long-term strategic plans for media player software, digital photo tools and online services. Many analysts said the new operating system was the most important release of Windows since Windows 95, the forerunner to Internet Explorer and other Internet connectivity features.
Windows XP is also the first operating system to test key components of Microsoft's widely publicized .Net strategy to connect all of its products and properties, as well as the basic technologies behind it: .Net My Services, the overall software architecture for Microsoft services, and Passport, the mechanism designed to let consumers use all the services.
"In many ways this (Windows XP) is a transition. This new term--XML Web services--you will be hearing more and more about that because Windows XP lays the foundation for that," Gates said.
The company also launched Microsoft Plus for Windows XP, a bundle of add-on tools and features, such as voice recognition for Windows Media Player, and several audio enhancements. The software is estimated to cost $39.95 at retail.
PC makers and software-application sellers are counting on Windows XP to revive sales in the slumping technology market.
But, based on analyst estimates and comments from CNET News.com readers, XP may get off to a sluggish start.
Research firm Gartner predicts that most consumers won't switch operating systems until they buy new PCs. Gartner predicted tepid initial sales, which would be in line with the lukewarm reception received by Windows Me and Windows 2000 last year.
Dell Computer Chief Executive Michael Dell on Thursday said he expects consumer demand for personal computers to drive the company's sales higher in its fiscal fourth quarter.
"We expect to increase our sales in the fourth quarter, and it's driven again--once again--by the consumer first," Dell said during a CEO roundtable at the Windows XP launch, Reuters reported.
Computer makers started selling XP PCs Sept. 24.
Gartner analysts Michael Silver and Charles Smulders say that even for the rest of this year, the $500 million hype campaign surrounding the launch of Microsoft's new operating system won't be enough to increase PC sales very much.
see commentary
Part of Microsoft's effort to fight piracy, product activation requires consumers to "lock" a copy of Windows XP to a particular PC by submitting information to Microsoft over the phone or the Internet. Many people are reluctant to use activation for privacy reasons.
Not all the news is grim, however. Online retail giant Amazon.com reported that Windows XP had the most advance orders of any nongame software ever offered. The Home and Professional upgrade versions and add-on pack Plus! for Windows XP have taken the top three software sales slots since Oct. 1, Amazon reported.
In order to spur XP sales, Microsoft, PNY and Symantec announced Thursday that consumers could get a free memory upgrade and antivirus software with the purchase of Windows XP Professional at any Best Buy, CompUSA, Office Depot or Staples store. Also, Microsoft, Kingston Technology and Network Associates announced that consumers would receive free memory when they purchase Windows XP Professional at all Office Max, Office Depot and Best Buy stores.
What's new?
Windows XP will come in two versions: Home and Professional. Although they appear identical, the Professional version offers more sophisticated networking, better security and support for multiple processors.
Windows XP Home Edition will be available as an upgrade version for $99. The full version of the OS will cost $199. Windows XP Professional will cost $199 for the upgrade and $299 for the full version, according to Microsoft.
Some other highlights of Windows XP:
• Performance: XP derives its heritage from Windows NT/2000, which manages memory better than Windows 95, 98 or Me and runs multiple programs at the same time more easily. The new operating system is designed to be more crash resistant than previous versions of Windows.
• Backward compatibility: A feature called Compatibility Mode installs or runs programs in a way that fools them into thinking they are working with Windows 95, 98, Me or 2000.
• Better text: For those using LCD monitors—with either desktop or notebook PCs—ClearType technology offers substantially sharper text than any other Windows version and most other operating systems.
• Multiple desktops: Unlike earlier Windows versions, XP allows several people—each with a custom desktop—to be signed in simultaneously on the same computer. Switching desktops takes a few seconds without disrupting activity. In a home with only one PC, mom can check her e-mail while the kids download MP3s.
• Better drivers: XP enforces stricter guidelines for hardware makers writing device drivers, a move expected to improve stability.
• Stronger security: Both versions of XP have firewalls offering basic protection when connected to the Internet. Professional includes more sophisticated security, such as file encryption and restricted access.
• Digital imaging: Handling digital images will be much easier with XP than with earlier Windows versions. Microsoft also will provide digital images ordered over the Internet for an additional cost.
Oh, and an interesting phenomenon after installing Windows XP SP2.
VNC is having problems connecting to certain computers. I found that if I connect to my SP2 computer (with VNC) from another computer, then I can use VNC to connect to that computer. I am using static routes on the network, so I think this has something to do with the routing table on the SP2 computer (or WINSOCK).
Thanks for the "more info" links Vern.
Interesting to find that "gdiplus.dll" is vulnerable.
Although I'm running a non-affected OS & Browser, that file is installed on this system by Nero.
I gather I'm going to need to install the update now anyway?
I would also assume that if a re-install of Nero is ever required, I would probably need to re-apply the patch also?
Nero is arguably one of the most popular burning programs going right now. I wonder how many people would be aware that a re-install of a particular software program may disable the update.
I would suggest users locate that file to see which program installed it for future reference.
Thanks again.
Vernon Frazee
September 30th, 2004, 09:26 AM
You're Welcome :)
If gdiscan finds a vulnerable copy of gdiplus.dll on your PC, you need to visit the web site of the application, (indicated by the folder gdiplus.dll was found in), and see if there is an update available. If there is, download and install it and hope that fixes the problem. (Check by running gdiscan.exe again). If the problem still exists, then you should contact the software manufacturer and explain the situation.
Another possible workaround would be to download the latest gdiplus.dll from Microsoft, available here:Platform SDK Redistributable: GDI+
http://www.microsoft.com/downloads/details.aspx?FamilyId=6A63AB9C-DF12-4D41-933C-BE590FEAA05A&displaylang=en
Download the file to a new folder named "c:\gdiplus" then run it and extract the files in it into the same folder. You should now have a gdiplus.dll file in your "c:\gdiplus" folder. Copy this DLL over the known exploitable one to replace it.
Note that this approach may cause problems with your third-party software if the developers of that software added extra functionality into their copy of the gdiplus.dll. Therefore, please make a backup of the existing vulnerable gdiplus.dll before you try this method.
104456
September 30th, 2004, 09:33 AM
Interesting Vernon I wonder if software vendors like MS are going to release more updates for older software too or rely on that old phrase" our latest version..........."
Scanning...
C:\Program Files\Microsoft Works\gdiplus.dll
Version: 5.1.3079.3 <-- Vulnerable version [Works v 7]
C:\Program Files\Norton SystemWorks\Password Manager\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version [ NSW 2004]
C:\Program Files\Symantec\Web Tools\GDIPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version [NSW 2004]
Scan Complete.
104456
September 30th, 2004, 12:16 PM
Just an added note: Ive changed the noted vulnerabilities above in the log file with the corrected file posted by Vernon and all seems to be working so Im one happy camper :D
rogue_red
October 1st, 2004, 04:29 AM
I cant believe the damage that this vulnerability has caused me. At the point now where a complete reformat and clean installation is looking like my only option for regaining control of my system. Soooo dont want to do it as I study online and have everything including family pics etc on here.
Is there any hope of getting my pc back??? I cant even reinstall my nortons so I currently i have no antivirus protection.
Vernon Frazee
October 1st, 2004, 06:05 AM
Originally posted by rogue_red
At the point now where a complete reformat and clean installation is looking like my only option for regaining control of my system. ... Recommend trying this first: Create a new folder named C:\HijackThis
Download HijackThis version 1.98.2 from http://www.majorgeeks.com/download3155.html and download it into your C:\HijackThis folder
Extract the downloaded C:\HijackThis\hijackthis.zip file into C:\HijackThis
Launch the C:\HijackThis\hijackthis.exe program and click "Scan"
When it's done, click "Save Log" and save it as C:\HijackThis\hijackthis.log
The saved log file will automatically come up in Notepad. Click "Edit|Select All" then "Edit|Copy"
Start a new thread in our HijackThis Logfile forum: http://discussions.virtualdr.com/forumdisplay.php?forumid=71
Click once inside the Message box, then press [Ctrl-V] (or click Edit|Paste) to paste the contents of your hijackthis.log file into the message
Add a Subject and any comments to your message and click "Submit New Thread"
Hopefully one of our HijackThis Logfile experts will be along shortly to analyze your logfile and help you rid your PC of any malware
Vernon Frazee
October 1st, 2004, 06:50 AM
Originally posted by 104456
I wonder if software vendors like MS are going to release more updates for older software too ... I'm sure at least part of that decision will be based on how old and/or popular the software is. :)
rogue_red
October 1st, 2004, 06:50 AM
Thanx will give that a go. I already have Hijackthis but couldnt understand the results. Cheers
Vernon Frazee
October 1st, 2004, 06:53 AM
Originally posted by patweb
Oh, and an interesting phenomenon after installing Windows XP SP2.
VNC is having problems connecting to certain computers. ... Did you create a Windows XP SP2 Firewall Exception for the port that VNC uses?
Vernon Frazee
October 1st, 2004, 07:20 AM
Originally posted by patweb
... It is absolutely CRIMINAL that an out of the box brand new computer is capable of being DISABLED within a minute of being connected to a network. ... IMHO, like our water and electrical supply, internet access is simply another utility. As such, it should be a filtered to a safe standard before it reaches our homes.
Vernon Frazee
October 1st, 2004, 07:21 AM
Originally posted by rogue_red
Thanx will give that a go. I already have Hijackthis but couldnt understand the results. Cheers You're Welcome. :)
Triple7's
October 1st, 2004, 09:23 AM
IMHO, like our water and electrical supply, internet access is simply another utility. As such, it should be a filtered to a safe standard before it reaches our homes
Interesting analogy, though water and electricity doesn't "intentionally" or with "malice" set out to destroy a home appliance, or at least ruin your day.
Of course, it might seem that way to floridians these days :)
Welshjim
October 1st, 2004, 02:12 PM
So how many people have switched out the old gdiplus.dll with the new? Success or problems?
I have only seen two reports so far
DuaneB (in another thread)--problem, had to do system restore, though not clear what .dll he finally wound up with.
104456--success
U.S. offers download of new $50 bill
Friday, October 1, 2004 Posted: 9:06 AM EDT (1306 GMT)
WASHINGTON (AP) -- The U.S. government will offer over the Internet low-quality images of its new $50 bill for artists, students and others who discover that their computers, scanners or printers won't allow them to view or copy pictures of the new currency.
Uncle Sam is making sure that computers won't cooperate with would-be counterfeiters -- even as it tries to accommodate consumers who legitimately want or need images of the currency.
The government said it also will consider individual requests for higher-quality images -- such as might be used in commercial art projects.
The low-quality images, suitable for school projects and other uses, will be available free at www.moneyfactory.com, a Web site run by the Bureau of Engraving and Printing. The new $50 bill was introduced this week.
"There is no limit on the ways that people may use images of currency. What we don't want is people whipping currency out of their pockets and making copies," said Eugenie Foster, cash project leader in the Federal Reserve Board's division of reserve bank operations and payment systems.
Making these digital copies is getting harder, thanks to secretive anti-counterfeiting technology built into some popular consumer hardware and software products at the request of government regulators and international bankers.
The technology detects and blocks attempts to view, scan or print copies of the redesigned $20 and $50 bills and, in a pop-up window, urges consumers to visit a Web site, www.rulesforuse.org, to learn about international counterfeit laws.
The technology, known as the Counterfeit Deterrence System, was designed by a consortium of 27 central banks in the United States, England, Japan, Canada and across the European Union, the Central Bank Counterfeit Deterrence Group.
Its broad adoption represents one of the rare occasions when the U.S. technology industry has quietly agreed to requests by government and finance officials to include third-party software code in commercial products. Most companies have never publicly revealed to customers they include such counterfeit protections in products.
Precisely how the technology works is a mystery. The U.S. government keeps its inner workings a closely guarded secret, arguing that disclosing too much information could help counterfeiters circumvent protections.
It also has declined to identify which companies have agreed to add the technology in their products, although Kodak, Xerox, Adobe Systems, Ulead Systems and Hewlett-Packard are among those known to use it. The European Union is considering a proposal to require all software companies to include such anti-counterfeit technology.
"We are very pleased with the amount of cooperation we've gotten," said Foster, who serves as U.S. representative to the international anti-counterfeit group. "Most (companies) have recognized that counterfeit currency is a threat to their customers and the public."
The Federal Reserve earlier this year denied a request and an appeal by The Associated Press under the U.S. Freedom of Information Act to learn some details about the system. The AP, which first revealed the program's existence in January, sought to learn whether the technology surreptitiously tracks consumers who try to copy bills, which U.S. agencies and private vendors built it, and how much it cost.
The reserve's board of governors told the AP it located a stack of papers 52 inches tall about the mysterious technology but agreed to release only 14 pages. It said the other documents represented trade secrets, internal letters or law enforcement procedures that couldn't be disclosed under the information act.
One document obtained by the AP, a 1998 U.S. government business solicitation, mandated that "any color printer must include a tracing system that encodes system identification in any output. This will tie the output to the originating equipment so that forensic identification of the equipment is possible in the event of illegal printing of currency images due to failure or circumvention of the recognition system(s)...."
Other papers turned over to the AP said the anti-counterfeit technology "does not have the capacity to track the use of a personal computer or digital imaging tool."
Foster also said the technology doesn't trace attempts to copy bills.
"The only thing this system does is prevent someone from making a copy of a currency note," she said. "It does not trace or report back any information about the individual."
Foster said the counterfeit protections built into consumer products recognize only the newly redesigned $20 and $50 bills, but upcoming changes to other currencies also will be expected to trigger the system.
Vernon Frazee--I add your experience to the list of successful installations. So now it is you and 104456 with successful substitutions and DuaneB with a likely unsuccessful substitution of the new gdiplus.dll file from MS in Third Party programs.
I would hope more people would reply.
Still no word from Microsoft Windows Update.
ttodd
October 4th, 2004, 11:01 PM
All of this makes me wonder if I should stick with my ME windows Platform and wait for MS Longhorn in 2006 ??
I mean XP was the system of choice for a lot of you, and i have been waiting to the day when I feel comfortable to make the switch.
there isn't a week that goes by in the past 6 months when another security risk of XP is divulged. I never heard this much bad publicity since ME windows was only on the market for less than a year. I have been using ME windows since Oct 2000 and have never had a serious virus, only had to format once and that was on my own accord to free up a lot of HD space.
But 97% of PC users are windows and the MAC which is supposed to be invulnerable to all of these virus's still sits in the wings..
:D
SuperSparks
October 5th, 2004, 01:40 PM
It's the old story unfortunately, it isn't that XP is any less secure, in fact it's the most secure version of Windows. But anyone who's writing malware is going to target the biggest audience, and that is Windows XP. With ME you are getting "security through obscurity" in that nobody much bothers to target it, and it's just the same with the Mac.
LotusAstra
October 5th, 2004, 02:15 PM
So far, there hasn't been a single Hotfix for XP SP2, whilst previous versions of XP have had 2 in that same period of time.
Don't know how much longer it'll stay update free for, but so far so good. We'll see what happens on the 12 Oct...
Now i know that other windows components have had updates (.NET Framework 1.1 SP1 & Windows Script 5.6), also this GDI related stuff that seems to effect quite a few 3rd party applications like Office and some Photo Programs etc... But at least the OS (and browser) itself has managed to stay all clear for once.