Virus writers focus on image bug

Sun Sep 26 13:24:05 CEST 2004

REPLY TO: D66 at nic.surfnet.nl

Zou dat nog wat worden met die kennisecoomie. Komen we
misschien eindelijk van dit gedrocht (M$) af.

"
  Virus writers focus on image bug

A critical weakness found in many Microsoft programs looks
like it is about to be exploited by virus writers.

The bug only came to light last week, but code is now
circulating that could be used to attack vulnerable machines.

Some security experts said conditions were right to turn the
bug into a widely exploited problem.

But others said there was still time to patch machines and
ensure that virus writers were prevented from scoring a big
success.

Picture problems

Microsoft issued a critical security alert last week telling
users that there were problems with the way Jpeg images are
handled by Windows and many other programs it makes.

The alert said that, theoretically, a malicious attacker
could take over a vulnerable machine using a carefully
crafted image that contained code to exploit the bug.

[
VULNERABLE PROGRAMS
Windows XP
Windows XP Service Pack 1
Windows Server 2003
Internet Explorer 6 SP1
Office XP SP3
Office 2003
Digital Image Pro 7.0
Digital Image Pro 9
Digital Image Suite 9
Greetings 2002
Picture It! 2002
Picture It! 7.0
Picture It! 9
Producer for PowerPoint
Project 2002 SP1
Project 2003
Visio 2002 SP2
Visio 2003
Visual Studio .NET 2002
Visual Studio .NET 2003
]

At the time the alert was issued, example code to exploit
the bug had not been seen.

However, sample code written for the bug appeared earlier
this week, leading some to speculate that a virus written to
use it would follow soon.

The code was posted to a closed circulation security mailing
list and a publicly viewable website.

This could mean that users find their machine under attack
when they view images on the web or when their e-mail
program previews images contained in messages.

"This is the virus equivalent of a harmonic convergence,"
said David Perry, from anti-virus firm Trend Micro.

He said all the conditions were right to make any virus that
used the exploit code a big hitter.

"It's been a long time since the last major virus outbreak,"
he said. "That's a major factor. How many people have let
their guard down?"

"Also," he said, "it's a big vulnerability and it affects a
lot of different people and it would be easy to put on the
web or any of a number of different things."

He said porn sites or those happy to spread spyware could be
sources of virus carrying images.

No panic

He said one other reason for suspecting that a virus to
exploit the Jpeg bug was imminent was the fact that the
annual Virus Bulletin conference runs this week.

"There's almost always a virus released during the Virus
Bulletin conference because all the virus experts are away
from home," he said.

But Graham Cluley from anti-virus firm Sophos said there was
no need to panic.

"At the moment no-one is exploiting the bug to deliver
malicious code," he told BBC News Online. "It is purely
being done as a 'proof of concept'."

He urged people to apply patches before a virus was written
to exploit the bug.

"Microsoft has had its patches out for more than a week
now," he said, "so home users who have switched to automated
updates should already have downloaded the fix."

Security experts pointed out that machines patched with the
SP2 update to XP, which closes many commonly exploited
vulnerabilities, could be at risk from the Jpeg virus if
they used other programs that still contained the loophole.

In all, more than a dozen programs are susceptible to the
Jpeg exploit.

Advice from analysts Gartner said the Jpeg bug could be hard
for companies to protect themselves against because most
computers had several versions of the vulnerable component
installed.

Story from BBC NEWS:
http://news.bbc.co.uk/go/pr/fr/-/1/hi/technology/3684552.stm

Published: 2004/09/24 09:19:20 GMT
"

**********
Dit bericht is verzonden via de informele D66 discussielijst (D66 at nic.surfnet.nl).
Aanmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SUBSCRIBE D66 uwvoornaam uwachternaam
Afmelden: stuur een email naar LISTSERV at nic.surfnet.nl met in het tekstveld alleen: SIGNOFF D66
Het on-line archief is te vinden op: http://listserv.surfnet.nl/archives/d66.html
**********