Newest Microsoft Hole Ripe for Attack: Patch Now!

The GDI+ detection tool that Microsoft has released only detects Microsoft products, however.

But the majority of people have non-Microsoft software that handles JPEG images, so this could spell disaster for the entire connected world in weeks to come...

Unless of course everybody releases a patch for his/her particular software that fixes this hole, but that's going to take a lot of time and effort...

hey, ill bet that there is no peice of software IN THE WORLD that does not have a bug, and any of you that say otherwise. Shut up, because you do not work in this field.

Microsoft has become it's own competition. The new products are good the old products are bad. As long as you buy new Microsoft products and go to their web site every 5 minutes you should have few problems.

Since I use an AppleMac I don't care. but Microsoft does suck

just gotta love apple-MacOSX / Linux / GNU...

there is a book called "In the Beginning was the Command Line.." by Neal Stephenson. It's great to see that the scenarios he plotted out that he thinks will lead to the demise of microsoft (and maybe apple eventually, but to a lesser degree) are actually coming true ... and quickly so.

oh yeah, that book was written something like 6 or 7 years ago

bah, Microsoft is just hypeing up the threft to make people get SP2.

Jpegs can not contain code that can harm your computer. PERIOD.
The most they can do is cause a buffer under-run that would make your pc valnerable to attack from elsewhere.

Jpegs are just arrangement of bits, they dont contain exacutable code at all.

A year ago there was a simerlar story, this time the "danger" was from virus's encoded into the actualy image of the jpeg.
Only there would already have to be a virus on your pc to decode it and then run it, so what would be the point?
~~~~~~~~~

Oh, and PeaceKeeper Wars, Sci-fi, Oct.
Watch it, you wont regret it ;)

The article's author writes, you might miss a piece of software.

With Linux-based systems, things are different. You can update all of the software packages on the system--from a GUI program, from the command line, or in the back ground automated (say, nightly).

The cute thing I found with Microsoft's GDI+ tool, was it 'scanning' my system, then telling me I had a vulnerable product installed (but not telling me what it was, of course). Then it referred me to Windows Update to download (blind, of course, since it failed to disclose the vulnerable product) the appropriate patch. The interesting part is, the scan was executed under XP SP2, without Office or Picture It! installed. And the best part was, when I got to Windows Update, it said there was no updates needed. I'd love to see a reverse engineering of the scanning program; does it actually scan your computer, or does it just pause for a bit, then tell you to go to Windows Update regardless? It'd be just like the current security industry to spead generic FUD.

That was the stupidest rollout of a patch I've seen Microsoft do yet, why didn't they configure Windows Update to detect whether or not you've got the vulnerable components installed and then show the appropriate patches? Makes me wonder how many people had vulnerable installs of .NET or Picture It! and then accidentally clicked "NO".

And Longhorn is how far out? Time to start thinking Xandros Linux.

As a pro developer i can tell you that all bugs are caused by sales that lead to deadlines that can not be met. Then again, saled pay for development. Look at the automorive industy - safety recalls all over - bugs. Its always someone somewhere that thinks "its ok like this, i dont have to check it" or does not have the skill to make sure its ok or simply does not have time. With software giants like Microsoft, it is extremely hard to verify everyone and their eivery line of code. Yes there are problems with Mocrosoft, but hey, there are problems everywhere. People love to hate big money. I am not trying to make an excuse as look at Apple and the great work they do... just sepaking my mind.

Get a Mac, you'll never look back. Trust me.

21 years, only 1 virus (16 years ago)

My PC machines 20 years, 80,000+ viruses/trojans, plus spyware, adware, keystroke loggers etc.

It's a scam industry, don't you get it yet? You pay to sufffer.

That's how they keep you hooked, Stockholm Syndrome, you identify with your abuser Microsoft, only till you cut off all ties to that monster do you really see how you have been abused.

What kind of computing experience is that?

Get a Mac, be free.

I can't keep the PC folks off of my Mac, especially the babes.

After reading the virus description on Symantec's website. Even if the virus can be hidden inside a jpeg file, it still needs to activate some executable code to work. I believe we will still be fine as long as we can isolate those strangers. So don't be panic to patch all the jpeg-related programs.

Here is the link: http://securityresponse.symantec.com/avcenter/venc/data/w32.perrun.html

I dont hate Microsoft. Why would i? I have been using their OS for many years with no major problems. To be honest, having to wipe bird-shit off my car makes me pissed off more. I mean how much of a moron do you have to be to hate Microsoft? Jesus man, if you dont think their products make you productive or benefit you in any way, just dont use them. Nobody is forcing you. If you think there are better products, go use them. If you think you are smart enough, go write your own software. This is not the old Soviet Union and you dont have to do something you dont want. You dont like your job but you like the money? You hate Microsoft but use a Windows OS on your machine because you cant use a Mac? Your love eating but hate cleaning up? You people make me laugh.

As for this problem... dont you people get it? You blame the software manufacturer for what? For not closing all the holes from those who dont have anything better to do then try and hack your computer? So i blame the lock manufacturer for not making it secure enough to stop that one particular burglar with enough skill to crack it?

Think about it. Almost every day its Microsoft this and Microsoft that and only once in a while you read about someone assigning the blame to the thousands of dumbshits who dont have the skill to produce software people can use and earn money at it and thus can only do damage in order to justify their pathetic time-wasting life. How about instead of blaming Chevy for making the car TV ad where an underaged boy is driving a vet, people looked at their own families and asked themselves "who is raising my children? TV or I?". Its sad, it truly is.

Haha, You had a valid point until you mentioned Apple. No one would of ever known you even had an APPLE.

I'ved used Linux, M$croSoft, and Apple and they have all their bugs. It's life and as a network manager - I have to live with it and the stupid users/people that won't update. Final word is, if you don't patch any system, it will become vunerable.

con't. - we had a few infected with a virus, Wanna know our answer to those who asked how i was infected? Because some idiot user that don't update their pc opened an attachment from their personal webmail they knew was fake.

If you don't patch, and check - then you to are idiots and shouldn't have computers. I have not been infected once and don't own a firewall (XP's turned off), or anti-virus software - COMMON SENSE FOLKS

To many linux zeelots posted on this to give the REAL WORLD som einsite to the problem. The linux zeelots (includes Mac OS users, since it IS linux based) have thier heads too far up thier own arses to understand the root of the issue is THEM. Most virus/trojan writers are linux users...because tehy can develope the malware and test it in a virtual machine without fear of harming their toy. Linux is the real threat to the PC world!!!

The real threat is the idiot that does patch thier system - no matter what the OS is. PERIOD. If everyone kept thier system up to date, it may deter the virs/trojan writers. If you pay attention, most of the virus that exploit MS lately have been addressed and patches available months before. Just the users of the software don't want to keep their PC's patched.

EDIT The real threat is the idiot that does not patch thier system - no matter what the OS is........

Darkflame says "Jpegs can not contain code that can harm your computer. PERIOD." and "Microsoft is just hypeing up the threft to make people get SP2."

Believe it, this is a real threat. When your computer loads an image it can cause an buffer overflow which leads to code *in the image* being run. If you don't believe that just wait until proof of concept code released. (I don't frankly see the point of proof of concept code. I don't need to see someone killed with a gun as proof that guns are dangerous.)

Microsoft has made no secret that they want people to get SP2 but since it's free why would they hype the risk? What's would be the point?

apple sux, u cant do anything on it, its not compatable with anything
microsoft sux, its way to easy to take advantage of it.
i guess linex is the only real answer

Microsoft is a prime example of the auto industry, crappy products and crappy service

I live currently in Stockholm. What is the Stockholm Syndrome? I run currently Windows and Firefox 1.0. Do I have the Syndrome?

I love my Macintosh!

I've been reading these posts and one thought occurred to me ... how can you people complain about Microsoft or expect to keep your computer secure if you wont take the time to spell your words correctly?

Oh, and please post your Visa Card number so we can verify your identity.

"includes Mac OS users, since it IS linux based"

Mac OS X is not based on Linux. It derives from NextStep. It uses the Mach kernel (as opposed to Linux). It uses a BSD userspace (as opposed to a GNU userspace on most if not all Linux systems).

You have no clue what a Linux OS is and you have no clue of what Mac OS X, at least system-wise.

Talking about OSes, each OS have vulnerabilities. The difference is that most other users patch. So libpng (png image) will probablably not be exploited on Unix systems but jpeg will be exploited on Windows system.

Also, usually other OSes put the code together in a library or dll if you prefer (libpng for PNG, libjpeg for jped). You update only the lib/dll and all apps using that dll are automatically ok next time they are started.

If Apple was as big a Micro$oft, the virus writers would switch over to Apple instead. You can hit more birds if you shotgun the flock. Apple's minority status gives it it's best protection.

The lack of a huge diversity of software developers and the cost of Apple software keeps me away from Apple.

They are doing it again to the american consumer. By creating a need and demand a product will be sold before its developed. Every rich American will impulse buy the product to protect them selves from the perseived threat yet to arrive. By the way I heard the Microsoft Excel program has a few empty cells and for a few hundred dollers I can fill them for you!
Any takers? Its not Microsofts fault the American consumer is so gullible and allowed to be manipulated to a buying panick frenzy. Example is the Millennium bug and the crash of civilization. Didn't you go out and buy a generator and put all your money into gold?

Suckers,

Aegis

the security through obscurity argument is very old and false. Mac OSX is a *nix derivative and is rock solid.

Plus Mac software is usually less than MS bloatware, unless you need Final Cut Pro, then it's justified.

stockholm syndrome
In 1973, four Swedes held in a bank vault for six days during a robbery became attached to their captors, a phenomenon dubbed the Stockholm Syndrome. According to psychologists, the abused bond to their abusers as a means to endure violence.

High clock speeds, loading stupid, unecessary software, and unprotected broadbandwidth = risk. Where is the old internet that we all knew and loved at 300 baud? New, uneducated users cause the vulnerability. What is the first thing you do when you help a newbie? You ask them to send you an email. Oops! You should TELL them to send themselves an email because what is the second thing a newbie does? They go looking for porn! Yet another Oops!

only 6 years ago MS IE compared to Stockholm Syndrome

http://freeadvice.com/law/june2bw.htm

the new mac os is based on bsd...

The problem is not people not patching, the problem is not dumb users, the problem is not even the OS. The problem is Microsoft trying to be like Linux..most virus (if you even wanna call them that) that I have seen over the past couple years have been nothing but script kiddies playing with scripting engines...and people opening attachments in email without looking. If microsoft would have left well enough alone and not made it so damn easy for everyone with a free hour to write and debug code on the home pc's and left those tools to the professionals..we wouldnt have this problem.

wsc
vbs
access
etc
etc

people dont need these programs at home..

and yes, code can be injected via buffer overflow into gdi..in THIS case..you just gotta know what your doing and know the ins and outs of gdi to get it to work..much less know its even there...

Pack of Homos.. Microsoft sucks blah blah blah..

Why listen to the crap touted by Linux and Mac users, if it sucks so bad why is 90% of the world using it.. The only reason it has so many vulnerabilities is because it's the biggest target. Why hack a system that hardly anyone uses?

Never mind thinking about it.. just jump on the band waggon and start slaggin em off.

I agree get a Mac and Mozilla. It has so many less holes than IE.

blah, blah, blah, blah.
nothing wrong with microsoft.
that can't be fixed.
we like windows and all the hacks that come with it, just give ms time to release sp3 for xp.
and than sp4 and then longhorn.

Anyone thats been in the industry for a while has heard this shizzle spouted every few years.

Theres little code in a pic file.. hell if you could code a jpeg every second image on the web would be a snag.

You can fuck up a jpeg to overflow a buffer.. but thats about it.

Hi im a newbie to the internet. Im wondering if a persons thoughts can influence the performance of the processor. No one really knows whats going on in the atoms of a chip, throw in some quantum mechanics, uncertainty principle, influence of the observer, and all that shit, im thinking if we can encode the human brain, people could actually migrate into computer chips just like tron and lawnmower man, is this stuff real some one tell me !!

Whatever.

This conversation doesnt happen every few years! Please, It happens every minite of every day. No ones going to solve anything with conversations like these. It never has, it never will.

lets just drop it(not that me saying this will stop the conversation)

Love the discussions folks, but anyone who knows thier head from their ass will tell you that Micro$oft is the true demon here. If it weren't for their incredibly devious and immoral business practices, maybe the powers that be might not try so damn hard to constantly show them that at the end of the day they shit just like the rest if us. Anyone IT junkie that disagrees with that statement is just a little boy. Microsoft loves little boys....

MS does suck. The problem is that "we" (Windows users) figured it out too late and now we are all, basically, screwed. I'll jump to Mac in a second...just point me to where I can buy Softimage XSI and 3DS MAX and some CAD programs I use. What's that? They are only available for Windows? Well then, I guess that's settled. Windows it is. *grumble grumble*

The sad fact of the matter is this: most of the programs I use are only available on Windows. Those that are also available on Mac (or Linux) are usually 1 or more "upgrades" behind Windows stuff. When time-critical stuff isn't a factor it wouldn't matter, but when your compitition is using the latest version of Program XYZ and you are using one that is two versions behind...well, guess where the client is likely to go?

Ah well, eventually someone will come up with a new OS and/or hardware that will "decode and convert" to a good OS without any slowdown. ... ... Ok, I can dream, can't I?

so many Mac users come to PCWorld... and so few Mac users go haunt Mac sites... hmmm.... pc envy?

Microsoft Does Suck.........

About Macs, I went to a seminar once and the theme seemed to be ``what ever you do on Unix or Linux, you can do on the Mac''. Why not just use unix or linux then! But seriously, the mac interface is very different and needs getting used to; though I kind of like how it looks. I also realised recently that there is no `insert' key on the keyboard. So I couldn't turn on the over-write mode. To Mac Users, how do I turn on overwrt on a mac?

I'll bet that if 90% of the computers in the world ran something other than Windows, we would be bashing that. ALL OS'es and software have holes, bugs and mistakes.

Microsoft has some of the most brilliant coders under their wings. Windows XP is the best version ever, and to err is human. These products are not crafted by waving a magic wand over a hard drive. Windows XP is around 3 years old, and IMHO, it does not deserve this blatant disrespect because updates are free for those who are willing to take them.

But however, that is my personal opinion, XP still moves PCs' out of the manufacturers' bays like wildfire, and that is a fact.

The part of the JPEG file that can cause the buffer overrun is the comments field. Microsoft misinterprets a particular value in the comment length field and that is what opens the door to the buffer overrun. See below for more details.

Following text is from http://lists.seifried.org/pipermail/security/2004-September/004765.html

JPEG Comment sections (COM) allow for the embedding of comment data
into a JPEG image. COM sections are marked beginning with 0xFFFE
followed by a 16 bit unsigned integer in network byte order giving
the total comment length + the 2 bytes for the length field; a
single JPEG COM section could therefore contain 65533 bytes of
invisible data (invisible in the sense that it's not rendered as
part of the image). Because the JPEG COM field length variable is 2
bytes wide, and itself is included in the length value, the minimum
value for this field is 2, this implies an empty comment. If the
comment length value is set to 1 or 0, a buffer overflow occurs
overwriting heap management structures.

The problem is GDIPlus normalizes the COM length prior to checking
it's value; a starting length of 0 becomes -2 after normalization
(0xFFFE unsigned), this value is converted to the 32 bit value
0xFFFFFFFE and is eventually passed on to memcpy which attempts to
copy ~4G bytes into heap memory.

eEye Digital Security analyzed the bug and found that heap
management structures are left in an inconsistent state with
execution eventually reaching heap unlink instructions within
RTLFreeHeap with EAX pointing to a pointer to data we control and we
have direct control of EDX.

BLAH, BLAH, BLAH, BLAH! What's wrong with all you people anyway? Are you all crazy or do you just act this way? Go ahead and install SP2 and your problems will be solved. The damned upgrade cost Microsoft One Billion Dollars and thousands of man hours to boot. It's actually a complete makeover of important parts of the operating system and it isn't going to hurt you one bit to install it. Might even help you keep your computer safe, that is, if that's what you really care about. Plus nobody's charging you for the stupid thing, so what's your problem?
The way all you people are acting, next time Microsoft will make you Pay for it. Serve you right too! You asked for it. Now go update - or shut up your whining mouths.

Both Windows and Open Source have a place.

There's alot of blind rhetoric out there for one or the other. Me, I like to keep an open mind.

I still love my MS stuff even with all the challenges that alot of really smart people out there throw at it.

All in All Microsoft has done an incredible job at giving the world a way to communicate, create, express, share and enjoy a realm we only dreamed of years ago.......Truthfully they have provided a product second to none that's the only reason their on top.....the blame for all this crap we go thru with updateing patching, security and so on and so forth.......lay's with those who wish to ruin it for everyone, Blame the Hackers, Blame the Snot nosed kid trying to write a virus for kicks, Blame the ones who cause the problems not the corporation that gave us all what others couldn't.........their not perfect and they do try .......

Just switch off all JAVA and ActiveX in the brouser (Internet Options) and whatever infection WILL NOT RUN.

I love the idea of people who have not done any software development in their life always think they have the ability to compare operating systems. I always read someone put "OSX is less vulnerable then Windows". Show me proof. Post the code for each, and show me the vulnerability.

It's like "Steve Jobs", the guy who put up a post, not the head of apple said, there are more vulnerabilities found in Windows because of its market share. Think about it, 95% of computers in the world run Windows. If you're a hacker, what are you going to focus on, Windows or Apple if you're trying to steal someones information or penetrate their system? The only reason apple seems more robust is because no one gives a Sh*t to hack into apple. Who cares about the other 5%, hackers want to hack into as much computers as possible, so they focus on Windows. If apple had 95% of the market, then the focus would shit to Mac, then you would see how many vulnerabilites Mac has.

And another thing. I've used Apple, and the only reason it's simpler to use is because it gives you about 1/10th of the control windows gives over it's settings. Use any program and get only 1 menu for the application. Run the same application in windows and you get anywhere from 5-10 menus.

I love the idea of people who have not done any software development in their life always think they have the ability to compare operating systems. I always read someone put "OSX is less vulnerable then Windows". Show me proof. Post the code for each, and show me the vulnerability.

It's like "Steve Jobs", the guy who put up a post, not the head of apple said, there are more vulnerabilities found in Windows because of it's market share. Think about it, 95% of computers in the world run Windows. If you're a hacker, what are you going to focus on, Windows or Apple if you're trying to steal someones information or penetrate their system? The only reason apple seems more robust is because no one gives a Sh*t to hack into apple. Who cares about the other 5%, hackers want to hack into as much computers as possible, so they focus on Windows. If apple had 95% of the market, then the focus would shit to Mac, then you would see how many vulnerabilites Mac has.

I've used Apple, and the only reason it's simpler to use is because it gives you about 1/10th of the control windows gives over it's settings. Use any program and get only 1 menu for the application. Run the same application in windows and you get anywhere from 5-10 menus.

He just recieved post from the internet that stuff is real hard to microsoft .

Apple is a beuatiful mother of craxkling noises at high clock speeds.

SOany vote for bush is a vote for big corporations like micro soft and apple and oracle excpecially for stock holder trusts.