MS04-028: F-Secure's Updated information on GDI+, JPEG vulnerabilities

Discussion in 'other security issues & news' started by the mul, Oct 6, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    F-Secure which provides excellent AV products shares a good update on the gdiplus.dll vulnerabilities associated with malformed JPEGs. Their daily weblog is excellent (a must read for me every day) and today's entry is especially informative.

    F-Secure: Updated information on GDI+ JPG vulnerabilities
    http://www.f-secure.com/weblog/


    QUOTE
    Renewed notice on the GDI+ JPG vulnerability - (Oct 5th)

    We've posted another notice on the JPG vulnerability, trying to get people to patch before it's too late.

    http://www.f-secure.com/news/items/news_2004100500.shtml

    Couple of notices on this vulnerability:

    - Filtering files with .JPG extension won't protect you much. Bad JPGs can be renamed to .BMP or even .ICO and they still work fine

    - To update Word, Excel and other Office tools, most users need to visit officeupdate.microsoft.com - but keep your Office installation CD handy!

    - In some cases, Internet Explorer will run into the vulnerability before it has saved the offending JPG file to the IE cache folder - which means most workstation antivirus products won't have a chance to scan it before it's too late. Gateway-based antivirus scanners (like F-Secure Internet Gatekeeper) take care of this problem

    - However, exploiting Internet Explorer with this vulnerability seems to be particularily hard. Exploiting Windows XP's EXPLORER.EXE while viewing local JPG files is much easier and several toolkits to create JPGs like this exist. This reduces the likelyhood of appereance of a massmailer worm using this vulnerability

    - Finally, if you scan JPGs with this exploit embedded in them, F-Secure Anti-virus will detect them

    For more, see our description.

    http://www.f-secure.com/v-descs/ms04-028.shtml

    THE MUL
     
Loading...
Thread Status:
Not open for further replies.