GDI+ JPEG exploit worse than first thought

[Vernon Frazee]

Finjan Software has exposed a new dangerous exploit that significantly increases the damage potential of the so-called "JPEG vulnerability" which was published by Microsoft on September 16, 2004 (Microsoft’s security bulletin MS04-028).

An attacker can remotely take over a user’s PC by simply having the user browse a web page that contains a malformed image file using Internet Explorer. The previous vulnerability did not expose Internet Explorer to this attack.

As previously reported, Microsoft’s GDI+ JPEG decoder DLL file (gdiplus.dll) contains a vulnerability that allows an attacker to execute arbitrary code remotely on Windows operating systems. In order to be attacked though the user had to obtain the contaminated image file by means of Email, or to otherwise save it to the local disk, and then view the image by one of the vulnerable Microsoft software products.

In other words, the previous vulnerability required some degree of "social engineering" to make the user perform an operation which triggers the attack. Conversely, this new vulnerability affects any Internet Explorer user who merely browses a malicious page.

Note that this same vulnerability affects JPEG image files even if they have been renamed with the following file extensions:

• .bmp
  .dib
  .emf
  .gif
  .ico
  .jfif
  .jpe
  .jpeg
  .jpg
  .png
  .rle
  .tif
  .tiff
  .wmf

More info:

• http://www.finjan.com/SecurityLab/At...release_id=111
  http://www.finjan.com/SecurityLab/At...ility_demo.htm
  http://www.prnewswire.com/cgi-bin/st...2260826&EDATE=

[104456]

Makes one wonder if it would be better for MS not to tell people what the patches are for in the first place to help prevent after patch exploits.

[Vernon Frazee]

True, but I doubt they'd get away with it for long.

[Vernon Frazee]

Source, vnunet.com: First sign of malicious code exploiting Windows Jpeg security flaw

Online newsgroups have found infection in pictures posted for download
Sarah Arnott, Computing 29 Sep 2004

The first malicious codes to exploit security flaws in Microsoft Windows' handling of jpeg image files has appeared on internet newsgroups.

The trojan is embedded in Jpegs that, once downloaded and viewed, allow hackers to gain control of the user's PC.

Microsoft acknowledged the vulnerability and issued a security patch earlier this month but at the time no viruses exploiting the flaw had been seen.

Online newsgroup access provider Easynews found the trojan code in pictures posted to its site earlier this week.

The current situation poses little risk of a major virus attack because the code cannot replicate itself and spread.

But a more serious way to exploit the flaw has also been posted on Bugtraq, a site that tracks and reports flaws in major software products. According to security software provider Finjan, the new method would allow the hacker to take over an end user's PC simply by having them browse a web page that contains the malformed image file using Internet Explorer.

[patweb]

:RANT ON:

This is rediculous. XP was BILLED (BY BILL) as being the most secure version of WinBLOW's ever, was it not?

It is absolutely CRIMINAL that an out of the box brand new computer is capable of being DISABLED within a minute of being connected to a network.

People are buying new PC's to 'fix' these innocuous problems in droves. I think this is more about PLANNED OBSOLESENCE than responsible engineering. Just about every MS OS was eventually 'patched' into oblivious use.

The new SP2 is turning good computers into DOGS that take longer to boot and run slower.

It is time for SOMEONE to build an OS from the ground up that has real scrupples (MS products are just repackaged IBM goods ).

MS shouldn't be praised for advancing the computer industry, it should be sued for all the damage it has caused.

:RANT OFF:

[patweb]

Gates takes wraps off Windows XP
Published: October 25, 2001, 9:25 AM PDT
By Jim Hu and Mike Ricciuti
Staff Writer


update NEW YORK--Microsoft on Thursday officially launched Windows XP, the newest version of its operating system and what could be the company's most important product in more than six years.

The long-anticipated operating system, which Microsoft says improves performance, reliability and ease of use, is available at retail as of Thursday.

Microsoft ushered in Windows XP with a lavish extravaganza in New York. Microsoft, chipmaker Intel and PC makers are expected to spend a combined total of more than $1 billion on marketing for Windows XP.

Chairman and Chief Software Architect Bill Gates, accompanied by PC industry executives and New York Mayor Rudolph Giuliani, announced Windows XP at Times Square's Marriott Marquis Theatre.

"Today is a great day for PC users and a great day for the PC industry," Gates said. "There's only one place to launch Windows XP, and that's right here in the heart of New York City," said Gates. Referring to the terrorist attacks of Sept. 11, Gates said: "New York is back and open for business."

Giuliani said: "I want to thank Bill for doing this launch in New York City. It shows a tremendous amount of confidence in the city of New York."

Former New York City Mayor Ed Koch, television personality Regis Philbin, Starbucks Chairman Howard Schultz, and Intel Chief Executive Craig Barrett took part in the launch. Microsoft also hired musician Sting to play a midday concert in New York's Bryant Park.

Microsoft has a lot riding on XP's success: The operating system ushers in new features tied to Microsoft's long-term strategic plans for media player software, digital photo tools and online services. Many analysts said the new operating system was the most important release of Windows since Windows 95, the forerunner to Internet Explorer and other Internet connectivity features.

Windows XP is also the first operating system to test key components of Microsoft's widely publicized .Net strategy to connect all of its products and properties, as well as the basic technologies behind it: .Net My Services, the overall software architecture for Microsoft services, and Passport, the mechanism designed to let consumers use all the services.

"In many ways this (Windows XP) is a transition. This new term--XML Web services--you will be hearing more and more about that because Windows XP lays the foundation for that," Gates said.

The company also launched Microsoft Plus for Windows XP, a bundle of add-on tools and features, such as voice recognition for Windows Media Player, and several audio enhancements. The software is estimated to cost $39.95 at retail.

PC makers and software-application sellers are counting on Windows XP to revive sales in the slumping technology market.

But, based on analyst estimates and comments from CNET News.com readers, XP may get off to a sluggish start.

Research firm Gartner predicts that most consumers won't switch operating systems until they buy new PCs. Gartner predicted tepid initial sales, which would be in line with the lukewarm reception received by Windows Me and Windows 2000 last year.

Dell Computer Chief Executive Michael Dell on Thursday said he expects consumer demand for personal computers to drive the company's sales higher in its fiscal fourth quarter.

"We expect to increase our sales in the fourth quarter, and it's driven again--once again--by the consumer first," Dell said during a CEO roundtable at the Windows XP launch, Reuters reported.

Computer makers started selling XP PCs Sept. 24.

Gartner analysts Michael Silver and Charles Smulders say that even for the rest of this year, the $500 million hype campaign surrounding the launch of Microsoft's new operating system won't be enough to increase PC sales very much.
see commentary

Part of Microsoft's effort to fight piracy, product activation requires consumers to "lock" a copy of Windows XP to a particular PC by submitting information to Microsoft over the phone or the Internet. Many people are reluctant to use activation for privacy reasons.

Not all the news is grim, however. Online retail giant Amazon.com reported that Windows XP had the most advance orders of any nongame software ever offered. The Home and Professional upgrade versions and add-on pack Plus! for Windows XP have taken the top three software sales slots since Oct. 1, Amazon reported.

In order to spur XP sales, Microsoft, PNY and Symantec announced Thursday that consumers could get a free memory upgrade and antivirus software with the purchase of Windows XP Professional at any Best Buy, CompUSA, Office Depot or Staples store. Also, Microsoft, Kingston Technology and Network Associates announced that consumers would receive free memory when they purchase Windows XP Professional at all Office Max, Office Depot and Best Buy stores.

What's new?
Windows XP will come in two versions: Home and Professional. Although they appear identical, the Professional version offers more sophisticated networking, better security and support for multiple processors.

Windows XP Home Edition will be available as an upgrade version for $99. The full version of the OS will cost $199. Windows XP Professional will cost $199 for the upgrade and $299 for the full version, according to Microsoft.

Some other highlights of Windows XP:

• Performance: XP derives its heritage from Windows NT/2000, which manages memory better than Windows 95, 98 or Me and runs multiple programs at the same time more easily. The new operating system is designed to be more crash resistant than previous versions of Windows.

• Backward compatibility: A feature called Compatibility Mode installs or runs programs in a way that fools them into thinking they are working with Windows 95, 98, Me or 2000.

• Better text: For those using LCD monitors—with either desktop or notebook PCs—ClearType technology offers substantially sharper text than any other Windows version and most other operating systems.

• Multiple desktops: Unlike earlier Windows versions, XP allows several people—each with a custom desktop—to be signed in simultaneously on the same computer. Switching desktops takes a few seconds without disrupting activity. In a home with only one PC, mom can check her e-mail while the kids download MP3s.

• Better drivers: XP enforces stricter guidelines for hardware makers writing device drivers, a move expected to improve stability.

• Stronger security: Both versions of XP have firewalls offering basic protection when connected to the Internet. Professional includes more sophisticated security, such as file encryption and restricted access.

• Digital imaging: Handling digital images will be much easier with XP than with earlier Windows versions. Microsoft also will provide digital images ordered over the Internet for an additional cost.

http://news.com.com/2100-1001-274939.html?legacy=cnet

[patweb]

Oh, and an interesting phenomenon after installing Windows XP SP2.

VNC is having problems connecting to certain computers. I found that if I connect to my SP2 computer (with VNC) from another computer, then I can use VNC to connect to that computer. I am using static routes on the network, so I think this has something to do with the routing table on the SP2 computer (or WINSOCK).

[Vernon Frazee]

GDI+ JPEG Vulnerability: Info/FAQ/Fix
http://discussions.virtualdr.com/sho...hreadid=173993

[Triple7's]

Thanks for the "more info" links Vern.
Interesting to find that "gdiplus.dll" is vulnerable.
Although I'm running a non-affected OS & Browser, that file is installed on this system by Nero.
I gather I'm going to need to install the update now anyway?
I would also assume that if a re-install of Nero is ever required, I would probably need to re-apply the patch also?
Nero is arguably one of the most popular burning programs going right now. I wonder how many people would be aware that a re-install of a particular software program may disable the update.
I would suggest users locate that file to see which program installed it for future reference.
Thanks again.

[Vernon Frazee]

You're Welcome

If gdiscan finds a vulnerable copy of gdiplus.dll on your PC, you need to visit the web site of the application, (indicated by the folder gdiplus.dll was found in), and see if there is an update available. If there is, download and install it and hope that fixes the problem. (Check by running gdiscan.exe again). If the problem still exists, then you should contact the software manufacturer and explain the situation.

Another possible workaround would be to download the latest gdiplus.dll from Microsoft, available here:

• Platform SDK Redistributable: GDI+
  http://www.microsoft.com/downloads/d...displaylang=en

Download the file to a new folder named "c:\gdiplus" then run it and extract the files in it into the same folder. You should now have a gdiplus.dll file in your "c:\gdiplus" folder. Copy this DLL over the known exploitable one to replace it.

Note that this approach may cause problems with your third-party software if the developers of that software added extra functionality into their copy of the gdiplus.dll. Therefore, please make a backup of the existing vulnerable gdiplus.dll before you try this method.

[104456]

Interesting Vernon I wonder if software vendors like MS are going to release more updates for older software too or rely on that old phrase" our latest version..........."

Scanning...

C:\Program Files\Microsoft Works\gdiplus.dll
Version: 5.1.3079.3 <-- Vulnerable version [Works v 7]
C:\Program Files\Norton SystemWorks\Password Manager\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version [ NSW 2004]
C:\Program Files\Symantec\Web Tools\GDIPlus.dll
Version: 5.1.3097.0 <-- Vulnerable version [NSW 2004]

Scan Complete.

[104456]

Just an added note: Ive changed the noted vulnerabilities above in the log file with the corrected file posted by Vernon and all seems to be working so Im one happy camper

[rogue_red]

I cant believe the damage that this vulnerability has caused me. At the point now where a complete reformat and clean installation is looking like my only option for regaining control of my system. Soooo dont want to do it as I study online and have everything including family pics etc on here.
Is there any hope of getting my pc back??? I cant even reinstall my nortons so I currently i have no antivirus protection.

[Vernon Frazee]

Originally posted by rogue_red
At the point now where a complete reformat and clean installation is looking like my only option for regaining control of my system. ...

Recommend trying this first:

1. Create a new folder named C:\HijackThis
   
2. Download HijackThis version 1.98.2 from http://www.majorgeeks.com/download3155.html and download it into your C:\HijackThis folder
   
3. Extract the downloaded C:\HijackThis\hijackthis.zip file into C:\HijackThis
   
4. Launch the C:\HijackThis\hijackthis.exe program and click "Scan"
   
5. When it's done, click "Save Log" and save it as C:\HijackThis\hijackthis.log
   
6. The saved log file will automatically come up in Notepad. Click "Edit|Select All" then "Edit|Copy"
   
7. Start a new thread in our HijackThis Logfile forum: http://discussions.virtualdr.com/for...php?forumid=71
   
8. Click once inside the Message box, then press [Ctrl-V] (or click Edit|Paste) to paste the contents of your hijackthis.log file into the message
   
9. Add a Subject and any comments to your message and click "Submit New Thread"
   
10. Hopefully one of our HijackThis Logfile experts will be along shortly to analyze your logfile and help you rid your PC of any malware

[Vernon Frazee]

Originally posted by 104456
I wonder if software vendors like MS are going to release more updates for older software too ...

I'm sure at least part of that decision will be based on how old and/or popular the software is.