Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade@private> If you have not been living under a rock (in security terms), you will likely have heard something about the GDI+ vulnerability in the past few days. JPEGs and other files that may be handled in the same way are now potentially "dangerous" data files. In 1994 a graphics file was spread via Usenet that contained oddities in the header, and at about the same time a virus warning hoax was created that warned of a viral JPEG file. Neither of these was, in fact, related to actual malicious software, but I did some study on the subject and found header structures in both formats that could, potentially, have been used as malware vectors, under certain conditions. The specifics of the current JPEG/GDI+ vulnerability are very difficult to obtain, even when you have copies of the various "exploits" that have been released. However, it does seem to be simply your common or garden buffer overflow. As I write I am not aware of any specific exploits that have been released with the intent to use them maliciously. However, given the number of "exploit" samples that have been released I dare say that it will not be long before we see the real ones come out. It is unlikely that viruses will be created using this vulnerability, but it is quite probable that viruses will be created that carry graphics files (likely pornographic) that will use the vulnerability to open links to malware on Web sites, or simply open backdoors on machines for exploitation and amalgamation into botnets of various types. Microsoft security bulletin MS04-028 (http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx) has some links that, if you manage to follow them all the way through, will lead you to a patch. The Windows and Office Update sites will also provide you with the patches, but not always easily. (For example, Windows Update seems to insist that you install SP2 first, although there is a way around this.) Affected systems use certain versions of the gdiplus.dll file. The most widespread of the affected versions of the file come with Microsoft Windows and Office, 2003 and XP versions. Other Microsoft (and other vendors) products also have vulnerable versions of the file. The file is fairly ubiquitous. I've got eleven copies (and two compressed copies) of five different versions of gdiplus.dll on my machine. (Versions of it also exist with different file names.) The Microsoft site does provide details of which version numbers are vulnerable or not--but no information about file sizes or dates that might allow you to determine which versions are which. If you follow links through from that page there is also a "detection" tool--but it only tells you that you *are* vulnerable, rather than identifying specific instances. SANS also has provided a scanning tool, at http://isc.sans.org/gdiscan.php. (Actually two, a GUI version and a command line version. The GUI version, as provided, seems to want a disk in drive F:, but if you tell it to continue seems to function.) This tool identifies which versions are vulnerable and which are not, and also scans other filenames which are, in fact, renamed copies of the gdiplus.dll file, such as: C:\I386\ASMS\1000\MSFT\WINDOWS\GDIPLUS\GDIPLUS.DLL Version: 5.1.3097.0 <-- Vulnerable version C:\Program Files\ArcSoft\Software Suite\PhotoImpression 5\Share\gdiplus.dll Version: 5.1.3097.0 <-- Vulnerable version C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSO.DLL Version: 11.0.6360.0 C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only) C:\Program Files\Microsoft Office\OFFICE11\GDIPLUS.DLL Version: 6.0.3264.0 Banning JPEGs is unlikely to be effective as a security measure. Untrained users will probably not know how to turn off the relevant functions, or be willing to so "cripple" their Web browsing. In any case, graphics files of various types can be renamed, and Windows will still identify them from internal structures, and run them through GDI+. Using firewalls to block .jpeg, .jpg, and the various other normal file extensions would therefore also probably be ineffective in some cases. Microsoft has provided some new patches (patches for Office and Windows apparently have to be installed separately), and others will possibly do so as well. It may be difficult to find the appropriate patches for all applications. One would assume that all versions of gdiplus.dll could simply be replaced by the latest (safe) version, but, knowing the industry, one would probably be wrong. ====================== (quote inserted randomly by Pegasus Mailer) rslade@private slade@private rslade@private Success is to be measured not so much by the position that one has reached in life as by the obstacles which he has overcome while trying to succeed. - Booker T. Washington http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade _________________________________________ Donate online for the Ron Santo Walk to Cure Diabetes - http://www.c4i.org/ethan.html
This archive was generated by hypermail 2.1.3 : Mon Sep 27 2004 - 06:17:57 PDT