View Full Version : Image Bug Puts Windows At Critical Risk
09-15-2004, 12:15 AM
By Gregg Keizer Courtesy of TechWeb News
As part of its monthly patching cycle, Microsoft on Tuesday rolled out a pair of security bulletins, including one rated "critical" that affects a bewildering array of the company's operating systems and applications, and puts systems at risk of hacker hijack.
Security Bulletin MS04-028, dubbed "Buffer Overrun in JPEG Processing," affects Windows XP, Windows XP SP1, and Windows Server 2003, as well as a host of Microsoft applications, most notably those in the Office XP and Office 2003 suites.
The vulnerability, which Microsoft ranked as "Critical," the highest threat level in its four-step system, stems from a flaw in the processing of JPEG images, the ubiquitous format used for digital images. Virtually every digital camera, for instance, produces pictures in .jpg format, while the bulk of Web sites use images in that file format.
full story: http://www.securitypipeline.com/network/47205226;jsessionid=HZCYPCAOOONMUQSNDBCCKHY
09-15-2004, 09:26 PM
Hate to bring up an old topic, but why is everyone running Windows when you know that the possibility that your entire business will be wiped out by viruses or worse? I run my company, jlist.com, with Macs (and a few PCs for development work and testing). We have not lost $1 to down time or viruses or spyware, since it doesn't exist on the Mac and wouldn't flourish in OS X anyway. Our systems are fast and work well, every piece of software including Office are readily available, and there isn't a single thing we lack. In a world where everything is "open" -- the web, email, document formats -- I have to ask why the Windows users on this site would be compelled to continue to use Windows despite the known security and other problems? Between happier employees and increased reliability, Macs are the best bargain we could find for our business.
I had our lawyer do some work for me once, and a virus erased his hard drive, forcing him to redo $5000 worth of work. This would never happen on a Mac -- it's unthinkable, really. If a car company made such horrible products, would 96% of the world be clamoring to buy it?
Seriously. Just go to an Apple store and talk with the staff there.
09-15-2004, 11:27 PM
You make a 'sort of' valid point. It is an old discussion, and we hashed it out very thoroughly here
It would be much more secure, it is more secure, to run MAC OSes - right now!
But MAC is not invincible, not long ago the mp3 virus was, and still is without doubt, being distributed via p2p file sharing networks like Kazaa.
It only infects MACs.
Wether one system is inherently more secure than any others is a long worn out debate. Let's not go into that here (my opinion! lol).
The quite pervasive opinion, as far as I can tell in the IT and tech journals and magazines, is that windows is by far the most popular target and focus for malware and virus writers because it is the most pervasive OS by far.
If another OS was to be as popular, it would be the one being exploited the most.
Buffer overflows are a symtom of using RAM. There is no computer system I know ofr that doesn't, therefore, buffer overflow exploits can be used on any and every OS.
Again, some may have fewer weakness, but the difference is not so readily apparent if there is.
The main problem with switching, though, is it isn't cheap.
One more point. If any OS is obviously more secure, why do the ratios of new installations on public servers not change?
For business intranets and Secure servers, there is little if any change either, with Windows OSes outnumbering them all, easily.
Also,the last time I checked, there were as many critical updates for MAC systems as there were for windows. I just got this in the mail now:
TOP 10 NEW VULNERABILITIES (http://www.threatfocus.com/sample_alerts.php)
Here is a list of the Top 10 security advisories, vulnerabilities and security-related patches for the last week as determined by the number of subscribers who received each notification.
There were new Security Alerts in the last 7 days for products from these companies:
Microsoft, Apple, Mandrake, OpenPKG, Debian, Samba, Conectiva, Slackware, Trustix, Pingtel, RhinoSoft, Axis, Gentoo, Lexar
Threat Focus subscribers receive real-time alerts, including greater detail and specific mitigation steps, for just the products in their alert profile simplifying security intelligence gathering and making more time available for threat response. Anyone, even non-Threat Focus subscribers, can always view the complete text of 10 recent security alerts (delayed by 48 hours).
Date Title Severity
9/14/2004 Microsoft [Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution] High
9/14/2004 Microsoft [Vulnerability in WordPerfect Converter Could Allow Code Execution] Medium
9/14/2004 Apple [Multiple Security Updates for Mac OS X] Medium
9/14/2004 Samba [Samba 3.0 DoS Vulberabilities] Medium
9/14/2004 Slackware [samba DoS] Medium
9/13/2004 OpenPKG [OpenPKG Security Advisory (kerberos)] High
9/13/2004 Mandrake [Updated samba packages fix multiple vulnerabilities] High
9/8/2004 Mandrake [Updated zlib packages fix DoS vulnerability] Medium
9/14/2004 Debian [New webmin packages fix insecure temporary directory] Medium
9/14/2004 Lexar [JumpDrive Secure Password Extraction] Medium
By far, the most effective defense against security threats and malware is education. By far (IMO)
This my favorite resource for keeping up to date:
And just to keep things in perspective:
September 8, 2004 (http://www.internetnews.com/security/article.php/3405051)
Apple Issues Mega Security Update
By Ryan Naraine
Computer maker Apple (Quote, Chart) has released a security update to fix more than a dozen flaws in the Jaguar and Panther versions of its flagship Mac operating system.
According to an advisory from Apple, the most serious flaw could permit remote attackers to execute arbitrary code and potentially take over a user's system.
The mega patch fixes holes in several components of the Max OS X, including CoreFoundation, IPSec and the Kerberos 5 authentication system, which was recently patched by MIT.
Apple also included fixes for its Safari browser along with patches for components like libpcap, lukemftpd, NetworkConfig, OpenLDAP, OpenSSH, PPPDialer, rsync and tcpdump.
I am not trying to pick sides in this. My Windows security situation worries me very much.
But.... I never fail to update my SuSE (Linux) when a patch is issued, either.
The number one enemy is user complacency and false sense of security.
That scares me more than any OS!
However, I would not argue against stability and performance benifits being better with MACs, and Linux as well.
09-16-2004, 12:56 AM
All my company people were asking me what happened and somehow I missed the story today, thanks webproworld for keping me up to date.
09-16-2004, 04:02 AM
Thanks for keeping us up-to-date!
I'ld also like to thank you for the information. I just published the story to my forums news section, hope nobody get's into severe trouble... I'll probably do the patching in the evening, when I get home from work.
Niche applications don't make good targets...
And yep, I guess mikmik is right... the more popular something is, the more people will try to exploit bugs and flaws on that system (or piece of software). I read an article about Mozilla Firefox, that stated, it could be equally hacked, but it isn't due to the small user community. If Firefox was more popular, it would be a more interesting target for hackers.. And if you're writing malicious code like viruses, you would want them to spread effectively. With software products, that are only used by few people, that isn't the case, so they write code that can inflict damage on the majority of computer users.
The OS Bashing Discussion..
But still, I think you're right in that Mac OS is better with performance and such.. but don't forget what made Microsoft that big in the first place: that it would run on many different machines, whereas Apple doesn't have to bother with the diversity of hardware and drivers, that Microsoft has to support... so it doesn't boil down to "Microsoft is not as good as Apple is" ... you have to watch the details, because for every feature and piece of hardware you support, there is potential for a flaw, and if you know your hardware ... you're kind of on safe ground. :)