Poison pics show up online: Another MS problem.

"Viewing jpegs could soon be a risky business
The first images crafted to contain a malicious program that can take
control of a PC have been found on the net.

Security experts have been expecting such images to turn up after
Microsoft revealed a weakness in the way Windows handles the popular
Jpeg format.

Soon after this discovery, a program started circulating online that
was written to exploit this bug.

The poisoned images were posted to a porn newsgroup at the weekend and
were found by Usenet provider Easynews. "

Visit:

http://news.bbc.co.uk/2/hi/technology/3701640.stm

for the full horrifying story.

Bill
..
++++ Student Priorities ++++

Is it true that nym.alias.net is run on a university computer at MIT...
By students who don't give a flying **** if it works or not
because it's operation and reliability does not affect their
grades and doesn't get them any free beer or tight pussy?

John

Not a problem if you're running SP2 and have the MS Office updates in place


"John" <> wrote in message
news:...
> "Viewing jpegs could soon be a risky business
> The first images crafted to contain a malicious program that can take
> control of a PC have been found on the net.
>
> Security experts have been expecting such images to turn up after
> Microsoft revealed a weakness in the way Windows handles the popular
> Jpeg format.
>
> Soon after this discovery, a program started circulating online that
> was written to exploit this bug.
>
> The poisoned images were posted to a porn newsgroup at the weekend and
> were found by Usenet provider Easynews. "
>
> Visit:
>
> http://news.bbc.co.uk/2/hi/technology/3701640.stm
>
> for the full horrifying story.
>
> Bill
> .
> ++++ Student Priorities ++++
>
> Is it true that nym.alias.net is run on a university computer at MIT...
> By students who don't give a flying **** if it works or not
> because it's operation and reliability does not affect their
> grades and doesn't get them any free beer or tight pussy?

John E. Carty

John E. Carty wrote:
> Not a problem if you're running SP2 and have the MS Office updates in
> place
>
> "John" <> wrote in message
> news:...
>> "Viewing jpegs could soon be a risky business
>> The first images crafted to contain a malicious program that can take
>> control of a PC have been found on the net.
>>
>> Security experts have been expecting such images to turn up after
>> Microsoft revealed a weakness in the way Windows handles the popular
>> Jpeg format.
>>
>> Soon after this discovery, a program started circulating online that
>> was written to exploit this bug.
>>
>> The poisoned images were posted to a porn newsgroup at the weekend
>> and were found by Usenet provider Easynews. "
>>
>> Visit:
>>
>> http://news.bbc.co.uk/2/hi/technology/3701640.stm
>>
>> for the full horrifying story.
>>
>> Bill
>> .
>> ++++ Student Priorities ++++
>>
>> Is it true that nym.alias.net is run on a university computer at
>> MIT... By students who don't give a flying **** if it works or not
>> because it's operation and reliability does not affect their
>> grades and doesn't get them any free beer or tight pussy?

Not correct. The affected .dlls are installed in parallel by many
applications and the unwary *will* eventually be attacked even if XP SP2
and Office are updated.

To verify this for yourself, Google for gdiscan.exe (since I do not have
the link handy). Run it on your seemingly protected system and report
the results.

Q

Quaoar

Let me start by saying thanks to Q for mentioning the GDIScan tool, for the
record the official site for it is:

http://isc.sans.org/gdiscan.php

I'm always up to date on patches etc, being an IT admin and it found one
application I didnt even know used GDI+...

Scanning Drive F:...
F:\Jasc Software Inc\Paint Shop Pro 9\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
F:\Microsoft\Office\OFFICE11\GDIPLUS.DLL
Version: 6.0.3264.0

Microsoft's GDI Detection tool is ****, they should find a way to seamlessly
patch all effected versions at the OS level.. you could be entirely patched
then install something like Jasc's Paint Shop Pro months later and re-open
this hole, and of course Windows Update would not even know about it. There
has been a virus writers "toolkit" already released to write malformed
jpeg's to exploit this hole too. Dont think your secure, your never secure
with MS

-L

Locke Nash Cole

Locke Nash Cole wrote:
> Let me start by saying thanks to Q for mentioning the GDIScan tool,
> for the record the official site for it is:
>
> http://isc.sans.org/gdiscan.php
>
> I'm always up to date on patches etc, being an IT admin and it found
> one application I didnt even know used GDI+...
>
> Scanning Drive F:...
> F:\Jasc Software Inc\Paint Shop Pro 9\gdiplus.dll
> Version: 5.1.3097.0 <-- Vulnerable version
> F:\Microsoft\Office\OFFICE11\GDIPLUS.DLL
> Version: 6.0.3264.0
>
> Microsoft's GDI Detection tool is ****, they should find a way to
> seamlessly patch all effected versions at the OS level.. you could be
> entirely patched then install something like Jasc's Paint Shop Pro
> months later and re-open this hole, and of course Windows Update
> would not even know about it. There has been a virus writers
> "toolkit" already released to write malformed jpeg's to exploit this
> hole too. Dont think your secure, your never secure with MS
>
> -L

I was also questioning why the MS patch could not be applied to the
entire array of affected dlls since these are generally called from the
Windows API. The calls to the dlls should be able to be preserved while
taking care of the vulnerability so the application wouldn't know the
difference.

Q

Quaoar

>I was also questioning why the MS patch could not be applied to the
>entire array of affected dlls since these are generally called from the
>Windows API. The calls to the dlls should be able to be preserved while
>taking care of the vulnerability so the application wouldn't know the
>difference.

Apparently they aren't called from the Windows API. I only have one copy of
gdiplus.dll on my W2K machine, and it was supplied with a third party
application and stored in the application's folder.
--
Dave "Crash" Dummy - A weapon of mass destruction
?subject=Techtalk (Do not alter!)
http://lists.gpick.com

\Crash\ Dummy