[ISN] [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulnerability

InfoSec News isn at c4i.org
Thu Sep 16 06:12:49 EDT 2004


Forwarded from: Vmyths.com Virus Hysteria Alert <vmyths_news at vmyths.com>

Vmyths.com Virus Hysteria Alert
Truth About Computer Security Hysteria
{15 September 2004, 01:55 CT}


CATEGORIES: (1) Misconceptions about a real computer security threat
            (2) A historical perspective on recent hysteria

Microsoft has issued a "critical" alert regarding a "buffer overrun"
in software it uses to display JPEG images.  In theory, if you try to
view a specially crafted JPEG file, it could take over your computer
and do whatever it wishes.  Microsoft has released a security patch to
fix this buffer overrun.  Vmyths urges you to download the patch,
install it, and get on with your life.

   Buffer Overrun in JPEG Processing Could Allow Code Execution:
      http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

Vmyths believes media outlets will POUNCE on this story, because (a)
Microsoft announced a "critical" vulnerability in the way its software
reads an ubiquitous file type, and (b) computer emergency response
teams have issued their own alerts.  Watch for breathless speculation
and hysteria in the coming days.  Some naïve system administrators may
tell reporters they'll delete JPEG files from emails and refuse to let
web browsers display JPEG files, "strictly as a precaution."  (We
don't expect anyone will implement this Draconian measure for very
long.  We believe too many users will clamor against it.)

   Remember this when virus hysteria strikes:
      http://Vmyths.com/resource.cfm?id=31&page=1

Microsoft's "JPEG Processor" vulnerability manifests itself as a
buffer overrun in a piece of software.  It is NOT caused by the JPEG
file format itself.  Buffer overruns are extremely common: you'll find
them in almost every large software application (even antivirus
software).  They can create situations where even a filename itself
can wreak havoc.  By definition, every buffer overrun will eventually
join its brothers in the land of obscurity.

   Buffer overruns in antivirus software:
      http://zdnet.com.com/2100-11-515441.html

The "Code Red" worms successfully exploited a buffer overrun in 2001,
and Vmyths believes some reporters will allude to this -- as if to
imply a horrific JPEG attack may be just around the corner.  Buffer
overruns are extremely common, yet they only rarely ever get
exploited.  Researcher Georgi Guninski, for example, publishes "proof
of concept" exploits for many of the "critical" buffer overruns he
finds.  Guninski's exploits have never made a splash despite his best
efforts.


A little history -- this isn't the first time an image file format has
come under fire.  An April Fool's joke targeted JPEG files a decade
ago:

   1994 April Fool "JPEG virus" alert:
      http://www.2meta.com/april-fools/1994/JPEG-Virus.html

In 2001, researchers claimed a specially crafted GIF file could be
used to cause a buffer overrun in Microsoft Outlook.  It was purely a
coincidence that a GIF file could exploit this threat.

In 2002, the "Perrun" virus added software to the computers it
infected, then it modified the Windows registry so future viruses
could "ride" inside a JPEG file.  The virus writer could have chosen
to do the same thing with GIF files or even TEXT files.  Antivirus
vendor Sophos urged restraint over the Perrun virus, saying "some
anti-virus vendors may be tempted to predict the end of the world as
we know it, or warn of an impending era when all graphic files should
be treated with suspicion.  Such experts should be ashamed of
themselves."

   McAfee gets slapped in 2002 for "JPEG virus" alert:
      http://www.sophos.com/virusinfo/articles/perrun.html


Vmyths suspects a hoax virus alert will arise with instructions to
delete the JPEG registered file type in Windows.  (It's practically a
self-fulfilling prophesy.)  Such a hoax will play on the user's
misconception of the threat.  Don't take unsolicited advice from
people who are NOT experts.  Users will self-damage their operating
systems if they delete the JPEG registered file type.

   False Authority Syndrome
      http://Vmyths.com/fas/fas1.cfm

Stay calm.  Stay reasoned.  And stay tuned to Vmyths.

Rob Rosenberger, editor
http://Vmyths.com
Rob at Vmyths.com
(319) 646-2800

Acknowledgements:
   Phone call from Kevin Poulsen, SecurityFocus

CATEGORIES: (1) Misconceptions about a real computer security threat
            (2) A historical perspective on recent hysteria

--------------- Useful links ------------------

Common clichés in the antivirus world
http://Vmyths.com/resource.cfm?id=22&page=1





More information about the ISN mailing list