You knew it was coming, and now it’s here — the latest evil spurred by the latest Microsoft security hole.
It’s called the JpegOfDeath, but JPEG isn’t all it threatens.
“[F]or the people out there who think you can only be affected through viewing or downloading a JPEG attachment… you’re dead wrong,” says K-OTIC’s John Bissell, also know as HighT1mes. “All the attacker has to do is simply change image extension from .jpg to .bmp or .tif or whatever and stupid Windows will still treat the file as a JPEG.”
On September 15 Microsoft issued a red alert warning of a “critical” security flaw in its JPEG processing technology that centers on software supporting the JPEG format, including some versions of Microsoft Windows, Microsoft Office and Microsoft developer tools.After that, it was only a question of time.
The Exploit
According to F-Secure, on September 17 a “proof-of-concept exploit which executes code on the victim’s computer when opening a JPG file has been posted to a public website.” That exploit was crashing only Internet Explorer.
“On September 24th there appeared a constructor that could produce JPEG files with the MS04-028 exploit,” F-Secure continued. “This time the exploit executed a code that could download and run a file from Internet. However, the JPEG file with the exploit has to be previewed locally for the exploit to get activated; viewing a JPEG file from a remote host does not activate the exploit.
“We are expecting that more exploit techniques will be created by hacker groups. And there is a chance that someone will create a universal exploit that would work when viewing an image locally and on a remote host.”
K-OTIC describes this as a Windows JPEG GDI+ Heap Overflow Remote Exploit (MS04-028) and says it was released on September 23.
According to Bissell, the exploit is “based on [the] FoToZ exploit but kicks the exploit up a notch by making it have reverse connectback as well as bind features that will work with all NT based OS’s. WinNT, WinXP, Win2K, Win2003, etc.”
No Clicking Required
Nor, it seems, do victims have to click a link to be nailed.
“For instance,” says Bissell, “you send them the image… and then they can’t see it in Outlook Express, so there like man this image has a cool name so I’ll try to open the attachment, then….”
Given the nature of its host, JpegOfDeath.c v0.5 could be one of — if not the — worst virus yet.
In the meanwhile, “Savvy Web Surfers Catch New Wave of Browsers,” says the headline in a Reuters story on the fact that Microsoft’s Internet Explorer has some “some slick new challengers.”
But it’s nothing to do with “savvy surfers” or a “new wave of browsers” or “slick” or “new.”Bill and the Boyz have been treating their customers with contempt for far too long and now they’re paying for it.
Bill’s Angry Customers
Increasing numbers of deeply brassed off Internet Explorer users who’ve had a gut-full of non-stop security threats and breaches are looking around.
A patch has been issued for the JPEG hole. But so what? No one believes every single IE user is going to apply it. Far from it, in fact. And this means the door is wide open for all those hackers who live for just such opportunities as this.
So now disenchanted IE users are checking out new horizons and finding the views excellent. As a direct result, IE now has serious competition from the likes of Opera, which is very far from being new, and Mozilla Firefox, which is now bopping along nicely, thank you very much.
It’s win-win for everyone. Except Microsoft.
But then, the Gates Green Machine is having the problems it’s having because, like the entertainment industry, it made the terminal error of looking the gift horse in the mouth.
Here’s a patch to the JPEG hole.
Jon Newton, a TechNewsWorld columnist, founded and runs p2pnet.net, a daily peer-to-peer and digital media news site focused on issues surrounding file-sharing, the entertainment industry and distributed computing. p2pnet is based in Canada where sharing music online is legal.
Be careful with the word "virus", it’s no virus.. it’s an exploit. Meaning that it’s a proof of concept.. and writing good exploits is hard.. is a challenge. Many security researchers probably have written exploits for this internally to test vulnerability, or to demonstrate it.. maybe people will then believe severity of the issue. But also used for penetration testing.
The connect-back method is a popular method to payload an exploit.. often machines infected have a firewall or are behind a company firewall, opening a new port with a cmd.exe shell on that is not convenient, because the firewall blocks any connection attempt. A connect-back however will connect-back to an attacker machine, an outbound connection. Now, outbound connections can be restricted too, which is called egress filtering.. but it’s not done at a large scale yet, though it’s starting to come as an attempt (which would be very succesful) at stopping spam being send from the inside network, and to stop viruses.
When the exploit is being used in a real virus however (though the exploit should become more stable than it is now, to do this) all this firewall stuff doesn’t help. As the payload won’t be a connect-back shell, but the virus itself and a mechanism which probably will abuse outlook for sending it to other people, there’s not much one can do about this, but filtering the email or developing IDS (Intrusion Detection System) signatures for it.