MAC-NETHow toNetwork SecurityVirus ProtectionSpyware ProtectionDownloadReferenceContact
 

Do more with FirefoxNEW

5 Top security flaw found in corporate networks

Alert: Apple Security Bulletin

Alert: MS Security Bulletins

Alert: MS Security Tips

Browser crash test

Critical Alert

Firewall

Firewall on fire!

Hoaxes: E-mail

Internet Protocol Network Camera Surveillance

Mail relay test

Network Setup Checklist

Network Worms

On-line Privacy

Process - OK

Process - Bad & Ugly

Rootkits

Rotten Cookies

TCP Holed

TCP Port

TCP Port ~ 1024

TCP Port ~ 1352

TCP Port ~ 2500

TCP Port ~ 65301

TCP Port Scan

Web Security
Home » Network Security » Alert: MS Security Bulletins » 

Sep 2004 Microsoft Security Bulletin:

  • MS04-027 Vulnerability in WordPerfect Converter Could Allow Code Execution (884933).
  • MS04-028 Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987).  This update resolves a newly-discovered, privately reported vulnerability. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in this bulletin in its own section.  If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

JPEG Exploit Exploitation

The following are 3 scenarios that could lead to an advanced exploitation of the JPEG exploit that began to strike in October:

  1. Email Attachment - Emails with infected JPEG attachments may not be identified by desktop antivirus solutions because they rely on file extensions and MIME types to identify images.
  2. Image on a Web Page - Most gateway security solutions do not inspect JPEG files in HTTP and FTP - if they do inspect these files, it significantly impacts performance. Links to the infected Web pages can also propagate in email worms, instant messenger worms, IRC worms, etc.
  3. Email with a Linked Image - An attacker or spammer sends an email containing an HTML image link to a JPEG containing malicious code. The JPEG itself resides on a Web server and is automatically downloaded via HTTP when the email is viewed or previewed. The code is executed the moment the image is viewed or previewed in Outlook or Outlook Express. It is important to note that infected images could reside not only on Web servers prepared by attackers, but also on previously infected computers which are now turned into slim Web servers or on infected Web servers. This is similar to Nimda and other worms that infected Microsoft IIS Web servers.

Organizations adopt the following six action steps to reduce the chance of this threat occurring:

  1. Donīt rely on SMTP or internal mail server content inspection. A complete solution must be a gateway solution and must inspect HTTP and FTP in addition to SMTP.
  2. Identification of JPEG files should not rely on extensions, or content type, to prevent spoofing.
  3. JPEG files should be inspected packet-by-packet in real time to eliminate latency. Users should not have to wait until the entire file is downloaded and inspected by the proxy.
  4. All parts of the JPEG file must be fully inspected before being released to the client. Solutions cannot rely on partially releasing non-inspected content.
  5. The gateway solution must not pose any delays and timeouts or create any visible impact on usersī browsing experience - either when cached JPEG files are delivered or when new images are downloaded.
  6. For hosted web sites that allow file uploads, inspect all uploaded JPEG files.

JPEG Exploit Exploitation commentPost your comment  

Jpeg exploit virus appears

A virus designed to exploit a recent disclosed hole in Internet Explorer is already doing the rounds on the Internet. Security experts have warned it could allow remote attackers to take full control of vulnerable Windows machines.

The exploit takes advantage of a flaw in the way Microsoft applications process jpeg image files, a common format for displaying images on the Web. Microsoft designated the flaw a "critical" problem and released a software patch for it, MS04-028. A Windows user would have to open a jpeg file that had been modified to trigger the flaw using a wide range of applications, such as the Explorer browser or Outlook.

The exploits create a jpeg file formatted to trigger an overflow in a common Windows component called Gdiplus.dll.  The first exploit opens a command shell on a vulnerable Windows system when the rigged file is opened using Windows Explorer, an application for browsing file directories on Windows systems.  The second exploit further modifies the attack code to add a new administrator-level account, named simply "X," to affected Windows systems when a jpeg file is opened through Explorer. The account could then be used by the attacker to log-in to the machine using standard Windows networking features

Jpeg exploit virus appears commentPost your comment  


commentPost your comment 
Mail this pageMail this page


© 2004-2008. All Rights Reserved.