Microsoft JPEG Hoax!

Discussion in 'Digital Photography' started by Guido Vollbeding, Sep 21, 2004.

  1. Hi

    Microsoft has recently started a campaign to update their software
    for an error in JPEG processing:
    Microsoft Security Bulletin MS04-028
    Buffer Overrun in JPEG Processing (GDI+)
    Could Allow Code Execution (833987):
    http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

    They claim that after the update their software is secure.
    However, this is WRONG!
    The reason is that they don't fix another fatal JPEG processing
    error in their software which is known for years and which can
    be reproduced by trying to open the following image file with
    Microsoft Explorer or other software:

    http://sylvana.net/test/AP4.jpg

    Opening this image file with faulty JPEG software can crash the
    application or even the system!
    The error was solved in 1998 with release 6b of the Independent
    JPEG Group software, but there are still many applications in
    use, like Microsoft's Internet Explorer, which haven't been
    updated and thus crash with this error.
    Software based on IJG's v6b JPEG software library, which
    is available since 1998, is not affected by this problem.

    Regards
    Guido
     
    Guido Vollbeding, Sep 21, 2004
    #1
    1. Advertising

  2. "Guido Vollbeding" <> wrote in message
    news:...
    SNIP
    >http://sylvana.net/test/AP4.jpg
    >
    > Opening this image file with faulty JPEG software can crash the
    > application or even the system!


    It doesn't crash my Windows Internet Explorer (after the patch on XP
    Pro).

    Bart
     
    Bart van der Wolf, Sep 21, 2004
    #2
    1. Advertising

  3. Bart van der Wolf wrote:
    >
    > >http://sylvana.net/test/AP4.jpg
    > >
    > > Opening this image file with faulty JPEG software can crash the
    > > application or even the system!

    >
    > It doesn't crash my Windows Internet Explorer (after the patch on XP
    > Pro).


    Bart,
    may I say that it doesn't surprise me to see such response from
    someone like you ?;-)

    Regards
    Guido
     
    Guido Vollbeding, Sep 21, 2004
    #3
  4. Guido Vollbeding

    Don F Guest

    "Guido Vollbeding" <> wrote in message news:...
    > Hi
    > Microsoft has recently started a campaign to update their software
    > for an error in JPEG processing:
    > Microsoft Security Bulletin MS04-028
    > Buffer Overrun in JPEG Processing (GDI+)
    > Could Allow Code Execution (833987):
    > http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
    >
    > They claim that after the update their software is secure.
    > However, this is WRONG!
    > The reason is that they don't fix another fatal JPEG processing
    > error in their software which is known for years and which can
    > be reproduced by trying to open the following image file with
    > Microsoft Explorer or other software:
    >
    > http://sylvana.net/test/AP4.jpg
    >
    > Opening this image file with faulty JPEG software can crash the
    > application or even the system!
    > The error was solved in 1998 with release 6b of the Independent
    > JPEG Group software, but there are still many applications in
    > use, like Microsoft's Internet Explorer, which haven't been
    > updated and thus crash with this error.
    > Software based on IJG's v6b JPEG software library, which
    > is available since 1998, is not affected by this problem.
    >
    > Regards
    > Guido

    --------
    I just tried opening the test jpg and received the following message:
    "Internet Explorer has encountered a problem and needs to close. We are sorry for the inconvenience."

    Only the message ... no shutdown ... no crash. I also use Win Pro. Could the problem be OS dependent?

    Don F
     
    Don F, Sep 21, 2004
    #4
  5. "Guido Vollbeding" <> wrote in message
    news:...
    > Bart van der Wolf wrote:
    > >
    > > >http://sylvana.net/test/AP4.jpg
    > > >
    > > > Opening this image file with faulty JPEG software can crash the
    > > > application or even the system!

    > >
    > > It doesn't crash my Windows Internet Explorer (after the patch on

    XP
    > > Pro).

    >
    > Bart,
    > may I say that it doesn't surprise me to see such response from
    > someone like you ?;-)


    Of course you may, but it doesn't change the fact that the patch
    solved what you said would happen despite the patch.

    Bart
     
    Bart van der Wolf, Sep 22, 2004
    #5
  6. Hi Don

    > I just tried opening the test jpg and received the following
    > message:
    >
    > "Internet Explorer has encountered a problem and needs to close. We
    > are sorry for the inconvenience."
    >
    > Only the message ... no shutdown ... no crash. I also use Win
    > Pro. Could the problem be OS dependent?


    Yes, of course.
    But closing a program is indeed an inconvenience, isn't it?

    I just want to sharpen your attention, and don't fall for hoaxes.
    Do NOT believe that such "inconvenience" will be solved with
    Microsoft's current update, as they make believe.

    Regards
    Guido
     
    Guido Vollbeding, Sep 22, 2004
    #6
  7. Guido Vollbeding

    Bob Guest

    On Tue, 21 Sep 2004 16:16:35 +0200, Guido Vollbeding <> wrote:

    >Hi
    >
    >Microsoft has recently started a campaign to update their software
    >for an error in JPEG processing:
    > Microsoft Security Bulletin MS04-028
    > Buffer Overrun in JPEG Processing (GDI+)
    > Could Allow Code Execution (833987):
    > http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
    >
    >They claim that after the update their software is secure.
    >However, this is WRONG!
    >The reason is that they don't fix another fatal JPEG processing
    >error in their software which is known for years and which can
    >be reproduced by trying to open the following image file with
    >Microsoft Explorer or other software:
    >
    > http://sylvana.net/test/AP4.jpg
    >
    >Opening this image file with faulty JPEG software can crash the
    >application or even the system!
    >The error was solved in 1998 with release 6b of the Independent
    >JPEG Group software, but there are still many applications in
    >use, like Microsoft's Internet Explorer, which haven't been
    >updated and thus crash with this error.
    >Software based on IJG's v6b JPEG software library, which
    >is available since 1998, is not affected by this problem.
    >
    >Regards
    >Guido


    Thanks for the info..

    BTW do you know why windows can't show some jpegs in the 'thumbnail view' in
    windows explorer??
     
    Bob, Sep 22, 2004
    #7
  8. Guido Vollbeding

    Frank ess Guest

    Don F wrote:

    <snip>

    > --------
    > I just tried opening the test jpg and received the following
    > message:
    > "Internet Explorer has encountered a problem and needs to close. We
    > are sorry for the inconvenience."
    >
    > Only the message ... no shutdown ... no crash. I also use Win
    > Pro. Could the problem be OS dependent?
    >


    When MSIE6 saw the test image it gave that message and asked for
    information, please. Once the information had been transmitted, MSIE
    closed.

    When Opera6 saw it, it opened and displayed with no comment or problem.

    Both in WinXP Home with all patches up to but not including the Massive
    Patch 2.

    --
    Frank ess
     
    Frank ess, Sep 22, 2004
    #8
  9. Guido Vollbeding

    dj_nme Guest

    Frank ess wrote:
    > Don F wrote:
    >
    > <snip>
    >
    >>--------
    >> I just tried opening the test jpg and received the following
    >>message:
    >>"Internet Explorer has encountered a problem and needs to close. We
    >>are sorry for the inconvenience."
    >>
    >> Only the message ... no shutdown ... no crash. I also use Win
    >>Pro. Could the problem be OS dependent?
    >>

    >
    >
    > When MSIE6 saw the test image it gave that message and asked for
    > information, please. Once the information had been transmitted, MSIE
    > closed.
    >
    > When Opera6 saw it, it opened and displayed with no comment or problem.
    >
    > Both in WinXP Home with all patches up to but not including the Massive
    > Patch 2.
    >
    > --
    > Frank ess


    It seems to be totaly browser dependant.
    I have IE 4.0 and Mozilla 1.7a on Win98SE.
    IE shows an error (with the option of "close" or "details").
    Mozilla just shows the pic of the smiling woman with no problems.
     
    dj_nme, Sep 22, 2004
    #9
  10. Guido Vollbeding

    Jeff M. Guest

    no wonder IE crashes, that bitch is fuckin ugly!!
     
    Jeff M., Sep 22, 2004
    #10
  11. Guido Vollbeding

    Jer Guest

    Guido Vollbeding wrote:

    > Hi
    >
    > Microsoft has recently started a campaign to update their software
    > for an error in JPEG processing:
    > Microsoft Security Bulletin MS04-028
    > Buffer Overrun in JPEG Processing (GDI+)
    > Could Allow Code Execution (833987):
    > http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
    >
    > They claim that after the update their software is secure.
    > However, this is WRONG!
    > The reason is that they don't fix another fatal JPEG processing
    > error in their software which is known for years and which can
    > be reproduced by trying to open the following image file with
    > Microsoft Explorer or other software:
    >
    > http://sylvana.net/test/AP4.jpg
    >
    > Opening this image file with faulty JPEG software can crash the
    > application or even the system!
    > The error was solved in 1998 with release 6b of the Independent
    > JPEG Group software, but there are still many applications in
    > use, like Microsoft's Internet Explorer, which haven't been
    > updated and thus crash with this error.
    > Software based on IJG's v6b JPEG software library, which
    > is available since 1998, is not affected by this problem.
    >
    > Regards
    > Guido


    On WinXP SP1, Nutscrape 7.2 okay, MS Internet Exploder 6.0 exploded.

    --
    jer email reply - I am not a 'ten'
    "All that we do is touched with ocean, yet we remain on the shore of
    what we know." -- Richard Wilbur
     
    Jer, Sep 22, 2004
    #11
  12. Bob wrote:
    >
    > BTW do you know why windows can't show some jpegs in the 'thumbnail view'
    > in windows explorer??


    No, sorry, I don't know all the mysteries of windows...

    Regards
    Guido
     
    Guido Vollbeding, Sep 22, 2004
    #12
  13. "Bob" <> wrote in message
    news:...
    SNIP
    > BTW do you know why windows can't show some jpegs in
    > the 'thumbnail view' in windows explorer??


    Can you find some common denominator for those files?
    Maybe they all originate from the same application, or were saved with
    special settings?

    Bart
     
    Bart van der Wolf, Sep 22, 2004
    #13
  14. "Jer" <> wrote in message
    news:ciqun2$...
    SNIP
    > On WinXP SP1, Nutscrape 7.2 okay, MS Internet Exploder 6.0 exploded.


    Before AND after the patch?

    On my system (XP Pro SP1), the patch solved the issue of shutting
    down.
    MS IE version 6.0.2800.1106.xpsp2.030422-1633.

    Bart
     
    Bart van der Wolf, Sep 22, 2004
    #14
  15. Guido Vollbeding

    John Bean Guest

    On Wed, 22 Sep 2004 12:03:37 +0200, Bart van der Wolf wrote:

    > "Jer" <> wrote in message
    > news:ciqun2$...
    > SNIP
    >> On WinXP SP1, Nutscrape 7.2 okay, MS Internet Exploder 6.0 exploded.

    >
    > Before AND after the patch?
    >
    > On my system (XP Pro SP1), the patch solved the issue of shutting
    > down.
    > MS IE version 6.0.2800.1106.xpsp2.030422-1633.


    It also explodes on mine, XP Pro with SP2 and latest patches. IE reports
    version 6.0.2900.2180.

    --
    John Bean

    I'm not confused, I'm well mixed (Robert Frost)
     
    John Bean, Sep 22, 2004
    #15
  16. "John Bean" <> wrote in message
    news:1frlt3som6m9m$...
    > On Wed, 22 Sep 2004 12:03:37 +0200, Bart van der Wolf wrote:

    SNIP
    > It also explodes on mine, XP Pro with SP2 and latest patches. IE

    reports
    > version 6.0.2900.2180.


    Then maybe it is related to some other option settings, e.g. MS
    Virtual Machine (just guessing, because I use Sun Java instead of
    Microsofts poor version of it). Anyway, whatever the reason, since the
    patch (yesterday) Guido's example doesn't shut down my Browser, which
    it did before the patch. So the patch seems to work, but perhaps
    something else is broken?

    Bart
     
    Bart van der Wolf, Sep 22, 2004
    #16
  17. Guido Vollbeding

    Mark Roberts Guest

    "Bart van der Wolf" <> wrote:

    '>"Jer" <> wrote in message
    >news:ciqun2$...
    >SNIP
    >> On WinXP SP1, Nutscrape 7.2 okay, MS Internet Exploder 6.0 exploded.

    >
    >Before AND after the patch?
    >
    >On my system (XP Pro SP1), the patch solved the issue of shutting
    >down.


    As I understand it, the new JPEG patch isn't *supposed* to solve this
    shutdown issue (which is really just an inconvenience) but rather fix
    a problem which would allow a JPEG to *run an executable* file, a
    potentially serious problem.

    In other words, don't complain that the patch fails to address a minor
    problem which is isn't *intended* to address when it does fix the
    major problem it *is* supposed to fix.
     
    Mark Roberts, Sep 22, 2004
    #17
  18. Mark Roberts wrote:
    >
    > As I understand it, the new JPEG patch isn't *supposed* to solve this
    > shutdown issue (which is really just an inconvenience) but rather fix
    > a problem which would allow a JPEG to *run an executable* file, a
    > potentially serious problem.


    No, both problems are "Buffer Overrum" problems, a rather generic
    source for potential security attack exploits.

    > In other words, don't complain that the patch fails to address a minor
    > problem which is isn't *intended* to address when it does fix the
    > major problem it *is* supposed to fix.


    Dream on. Microsoft fixes a rather trivial problem, but fails to
    fix a deeper problem with similar effect (major "Buffer Overrun").
    Both problems can be exploited for security attacks.

    Regards
    Guido
     
    Guido Vollbeding, Sep 22, 2004
    #18
  19. Guido Vollbeding

    Bruce Murphy Guest

    Guido Vollbeding <> writes:

    > Mark Roberts wrote:
    > >
    > > As I understand it, the new JPEG patch isn't *supposed* to solve this
    > > shutdown issue (which is really just an inconvenience) but rather fix
    > > a problem which would allow a JPEG to *run an executable* file, a
    > > potentially serious problem.

    >
    > No, both problems are "Buffer Overrum" problems, a rather generic
    > source for potential security attack exploits.


    And generic handwaving like this tends to make you incorrect.

    > > In other words, don't complain that the patch fails to address a minor
    > > problem which is isn't *intended* to address when it does fix the
    > > major problem it *is* supposed to fix.

    >
    > Dream on. Microsoft fixes a rather trivial problem, but fails to
    > fix a deeper problem with similar effect (major "Buffer Overrun").
    > Both problems can be exploited for security attacks.


    That's not necessarily true. Not all buffer overruns are exploitable,
    and not all bugs are buffer overruns. Do you have any specific
    information about the bug you're triggering being a naive buffer
    overflow about its vulnerability?

    B>
     
    Bruce Murphy, Sep 22, 2004
    #19
  20. Guido Vollbeding

    dj_nme Guest

    Bob wrote:

    >
    > BTW do you know why windows can't show some jpegs in the 'thumbnail view' in
    > windows explorer??
    >


    Perhaps it can't deal with folder or file names with spaces in them.
    Just my guess.
     
    dj_nme, Sep 22, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. kl
    Replies:
    6
    Views:
    966
    Martin Brown
    Nov 12, 2003
  2. certsnsearches

    Exiff-jpeg and jpeg

    certsnsearches, Jan 7, 2004, in forum: Digital Photography
    Replies:
    2
    Views:
    3,335
    Jim Townsend
    Jan 7, 2004
  3. MOON HOAX "later that it was all a hoax"

    , May 29, 2005, in forum: Digital Photography
    Replies:
    1
    Views:
    386
    Unclaimed Mysteries
    May 30, 2005
  4. Amit
    Replies:
    3
    Views:
    1,314
    Ed Ruf (REPLY to E-MAIL IN SIG!)
    Mar 17, 2006
  5. randomiser

    Microsoft single-play DVD story was a hoax

    randomiser, Oct 5, 2005, in forum: NZ Computing
    Replies:
    10
    Views:
    565
    Peter
    Oct 6, 2005
Loading...

Share This Page