MZL & Novatech TrafficStatistic Website
Home MZL
Webshop
Products
Webservice
Article: Finding a webhoster avoiding pitfalls
Article: Handling referer misuse
Article: Impact of the gdiplus.dll JPEG vulnerability
Submission site reviews
Web Directory
Latest Entries
Authors
Helpdesk
Feedback
About us
News
Search
MZL & Novatech TrafficStatistic Website
News - more news - submit news - XML
Union City/USA, 05/17/08:  (details)
Start your Career as a Security Professional with uCertify's CISSP PrepKit
USA, 05/16/08:  (details)
Spam Blocker SB 1.0.0.1
USA, 05/16/08:  (details)
Total Security Premium 3.0.0
USA, 05/16/08:  (details)
Total Security Basic 3.0.0
USA, 05/16/08:  (details)
Omniquad AntiVirus TS 3.0.0/AV 9.0

Article: Impact of the gdiplus.dll JPEG vulnerability

A few times in the history of the internet there have been waves of attacks using security flaws in popular software from Microsoft that caused serious troubles. The jpeg vulnerability widely disclosed a few weeks ago has the potential to be the vehicle of the next large wave of attacks. Since this bug was disclosed, TrafficStatistic reported already about the bug, for which already an exploit source named JPEG of Death is online, at 09/20/2004 and 09/24/2004 and it got many references in the web looking for the impact on end users, but almost no one looked onto the impact for webmasters. This article will be updated as soon as we got new information. Since we estimate this threat as very dangerous and do not believe that it will vanish soon, we decided to put an article online here and update it continously as soon as we hear something new about the JPEG vulnerability threat.

Luckily there were no major attacks using the gdiplus.dll vulnerability during the last days, but be aware, it could come every minute. Based on our Traffic Statistic Webserver Logs, we estimate, that still less than 50 % of our website visitors are protected.

 (Last updated: 05th, October 2004)

Content

Principle of the JPEG vulnerability

Roughly spoken a Jpeg image is a file separated into some data sections seperated by markers followed by a value describing the length of the data section. Example:
Marker Start of image
Marker 1, type comment, data length 50 bytes <50 byte data here>
Marker 2, type image spec, data length 100 bytes <100 byte data here>
Marker 3, type image compression info, data length 1000 bytes <1000 byte data here>
Marker 4, image data
Marker 5, End of image

First type of the JPEG vulnerability

If an image has invalid length specifications for the data section inside, like one byte, though the length descrioption uses already two byte or it has a higher value inside then the size of the temporary memory for the image data section is, then the image is not inside the JPEG specification.

When it is tried to display such an image with image processing code released by Microsoft during the last years, it might happen, that part of the image data is tried to be executed as programm code. Usually a program trying to execute data as program code what actually was never intended to be program code will just crash. But as it is image data, can be even just a hidden comment to the image, an attacker can calculate which image data is been tried to execute as a program and put malicious code, such like a virus, a worm, a spy program, a keylogger, a trojan or a program to download and execute other programs, exactly to the position into the image, where the vulnerable Microsoft image processing code will try to execute a part of the image data. The security whole seems to be that big that there exists many diffrent ways to utilize the vulnerability, so it might be not easy to recognize a specific byte pattern in such an attacking image.

Second type of the JPEG vulnerability

There does exist a second vulnerability (and possibly many more uncovered ones) in Microsoft's JPEG processing code, which is in the way the processes the image data itself. Luckily in this case it seems to be that it is just tried to execute program code of a zero address resulting in a crash of the program using Microsoft's buggy library code to display the invalid image data. That means, the damage for a user is limited, instead of that an attacker using a specially prepared Jpeg image can take over the control over the attacked computer he could just crash the program, which can be easily recovered by the user just by starting the program again and not making it try to display the attacking image. Example for jpeg vulnerability of second type: http://sylvana.net/test/AP4.jpg - do a bookmark here before you click the link, Internet Explorer will probably crash, even on Windows XP SP2 with all security patch updates!

What is so dangerous in the Jpeg vulnerability bug

The Jpeg vulnerability is so dangerous, because the faulty jpeg processing code is so widely spreaded in use. A rough overview:

The Jpeg format is the most popular format to transfer digital photos over the internet. The Jpeg format compresses the image data in a way, that the loss of information is hardly visible by the human eye. Websites display photographys from digital cameras or scanner in Jpeg format, pictures are sent by email using the Jpeg format or posted to binary newsgroups.

As displaying of images is so essantial, this capabilitywas integrated into web browsers and later this capability was integrated into operating system components and many programs with a graphical user interface. Microsoft's web browser Internet Explorer was integrated into Microsoft's Windows Operating System, the desktop wallpaper became a web page, Microsoft's file manager Explorer displays preview images when an image like item is selected, the email client may use it to display photos attached to an email and the image viewing capability was provided to programmers in form of libraries, so programmers could quickly add image viewing capabilities to their programs. The library was provided for shared use, so programms of could use the operating systems library and keep the install file small and the library was provided seperately, so programmers could be sure, their program will find the expected version of the library. And what makes the situation even worse, is that displaying of a jpeg image does not require to have a specific file extension like .jpg, .jpeg, .jfif or .jfi, common browsers are programmed in a way, that they discover a jpeg photo by a type declaration in the HTTP header or just by analyzing the first bytes of the file. Some virus scanners seem also just to verify executable files or office documents for viruses, so virus scanners may keep absolutely quiet when such an attacking image arrives.

So in summary, the buggy JPEG processing code can be almost anywhere and multiple times: in a browser, an email client, in the operating system or in any other program, the attacking file does not need to come as a file with a jpg extension and cannot be easily detected by an analysis of the file itself.

Threats to Microsoft Windows users

The threats by the Jpeg vulnerability of first type comes from all sides, the browser Internet Explorer, which displays any file as jpeg image,if the header looks like Jpeg, the mail client Outlook, which uses the engine of the browser Internet Explorer to display by default all images in mails, any Microsoft Office applicationwhen encountering a Jpeg image, the Explorer, which will execute malicious code in an attacking JPEG already on a selection of a suspicious file for deletion. Once the malicious code is executed accidently, it might happen anything bad, it might do anything, it can do with the given rights. As most threads deemed to be vulnerable run with the same rights as the user logged on, the program will get the same rights as the user logged in. That might be: deletion of the hard disk, changing the users password, infecting all jpeg images with the same malcode and sending it out to all of the victims frieds in his address book, spreading out any other viruses or spam using the victims machine, publishing any possibly private documents found somewhere on the internet, using the victims computer as a server to offer illegal files for download or just installing a dialer to connect automatically expensive phone calls. So shortly spoken - it shall not happen.

The threat by the Jpeg vulnerability of second type is lower, it might just crash the application using the malicious code.The application might be restarted on crash, the attacking image removed and the problem is gone. Just when an application will already on start load the image, what might happen for example in an email client displaying the last email in a preview, it might happen, that some more data needs to be taken away to make the application start again.

Threats to webmasters

For webmasters the possibility of a virus in JPEG image files brings completely new threats. Whenever an image is delivered from the webserver, it could mean, there is a JPEG attack inside. Especially for images sourced from other people's server there is no way for the webserver to check it. As it is not always legal or moralically integer to source other people's graphics into your own website, one might say, that this prevents webmasters from doing so. But there are many examples of that graphics are sourced from other peoples servers, for example:
- banners in banner exchanges
- advertizing banners
- icons in rss feeds
- screenshots of programs from pad files
- images posted and embedded by users in a forum, guestbook or comment

Solutions of the JPEG vulnerability problem

There is no easy and general way to come over to a solution for the JPEG vulnerability problem. However, knowing the threats well might already help to fight against the impact of this security problem. Windows users should secure their machines at least against attacks of the first type of JPEG vulnerability, webmasters should verify all images they embed into their web sites and network administrators should try to filter out attacking images using the JPEG vulnerabvilty of first type already on the gateway.

Finding vulnerable programs

There is no definite list of vulnerable programs around, but on SANS you can find an independent scanner. As soon as we will find such tools we will mention them here. Just for Microsoft programs there is a list of affected programs online and a scanner detecting some potentially insecure Microsoft programs, but it seems to be that it does neither detect all vulnerable Microsoft programs nor recognize if the potential vulnerable program is already patched and secured. The most reliable way to check programs for being vulnerable for malformed JPEGs seems to be at the moment opening test image with the suspicious program and see if the suspicious program crashes. If it crashes, it is definitely vulnerable, if it doesn't crash, it might not be vulnerable, but it's not a guarantee.

Recognizing attacking images

Images using the first type of JPEG vulnerability might be automatically identified by checking the integrity of the image section length definitions. While some virus scanner seem to do already check for invalid headers, some still seem not to check images at all. So be sure to have a virus scanner capable to find invalid JPEG headers. For network administrators, there are already some snort rules available trying to find attacking images of first type before they enter a network. An automated scanner to identify images containg the JPEG vulnerability of second type is not available yet. The only way to identify such an image seems to open the image in a fully patched and secured Internet Explorer and look if Internet Explorer crashes. If Internet Explorer crashes, there is definitely something wrong with the image, if it doesn't there is probably no JPEG attack of 2nd type in it (but of course there might be a buffer overflow attack of first type in it !!!).

Solving the problem on Microsoft Windows clients

To solve the problem on Microsoft Windows machine is rather time consuming: visit Microsoft's website and look if your operating system is affected. Windows XP without service pack is affected, Windows XP SP1 also, while Windows XP SP2 and WIndows NT are not affected. If your operating system is affected, install the offered patch. Then look for all other Microsoft programs affected and compare if you have installed any of them. Microsoft published a long list, which software from Microsoft Microsoft thinks is vulnerable. Probably you have a vulnerable Internet Explorer and whatever you else have from Microsoft. Install the offered patch for each affected program. You might also use a special program from Microsoft to find out, which Microsoft programs are affected.

Then comes the tough part: go through all of your programs and look out for information if it is affected by the problem. Pay specail attential to programs processing data directly from the internet as you won't be able to filter your internet data for malicious images before they can reach the program. Most likely candidates to process images from the internet are mail clients, browsers (Mozilla seems to be clean in all aspects as it uses an own Jpeg processing routine), news or blog readers (the news feeds icon might be a jpeg) or games. Also take special care for image processing programs that came with your digital camera or your scanner or file sharing programs. Just think of any program that displays any image somewhere. Visit the manufacturers web site or ask the support if it is affected. There might remain lot of programs, where you can't find out, if they are vulnerable or not. For those you might try to google for the JPEG vulnerability and the program name, maybe some other users found out something. You also might test the program with a test image, if the program crashes when encounering the test image, it is very probably vulnerable.

For the big rest, better do not use them at all, but if you really like them, test images with a virus scanner capable of detecting malicious images before the program gets to see any image, use the programs on your own risk and watch for the impacts of an infection. If it's kind of virus or worm infection the analysis of your internet traffic with a tool like trafficStatistic and time interval report might help you to detect traffic pattern typical for worms spreading out.

Notice on TrafficStatistic itself: TrafficStatistic is only affected via Operating System and Internet Explorer, once you have secured your Windows Operating system and Intenet Explorer, Traffic Statistic has no JPEG vulnerability problem.

As Microsoft seems to estimate the threats of the JPEG vulnerability of 2nd type low, Microsoft seems to be willing to fix this issue only with XP SP3 in 2005. The only way to come around is not to use any Microsoft product for browsing the web and emailing, take a more secure and free alternative like Mozilla instead.

Solutions for webmasters

The only way to be sure of the image file's integrity is to load it onto your server, check it and deliver the checked file to your users from your own server. Caveeats in this:
- you need to contact the owner of the image and get an explicit permission to deliver it from your server
- adservers won't count pageviews
- image won't be updated when the image owner updates it, rotating banners won't rotate anymore The problem affects the JPEG vulnerability of first type at hardest: if you embed graphics from a third party it might be that you become liable for damages occuring to this image, because you embedded it into your website. Giving users the possibility to post links to images from other sites and embedding them into your website would enable everyone to link to an image containg a malformat of Jpeg vulnerability of 2nd typeand crash with this the webbrowser of most of your users when they open your website. Tough stuff - and no way around except to strictly not embed images from 3rd party servers.

Links providing more information about the JPEG vulnerability problem

Date: September, 29th 2004

Author: Marcel Bartels, http://www.trafficstatistic.com

Editing and/or reproduction of this article is permitted under the condition that a reference to this original article at http://www.trafficstatistic.com/articles/impact_of_jpeg_bug.html is given.
Impressum
© 2004-2005 MZL Billing Services & Novatech Ltd. All rights reserved.
 Sponsoring Mein Parteibuch