Unfortunately this is from Microsoft's main web page, just click on the "Critical Update" in the upper right corner of the page.
I'm still trying to figure out how a virus can hide in a JPEG?
It does appear to be legit.
The issue here isn't the common method of running programs in extensions that weren't designed to run programs (such as .pif files and .bat files), but instead takes advantage of a buffer overflow. For example, the JPEG spec may say that a certain byte (which can have a value of 0 through 255) indicates the number of subsequent bytes that need to be stored in a buffer, but that that byte may only contain a number up to 100. Microsoft may have trusted that spec, and assumed that the number would only go up to 100, and allocated 100 bytes of memory -- yet if a hacker enters in a value of 255, there are 155 bytes that are going to go *somewhere* in memory. In this case, they end up going somewhere where code runs, or where there is a pointer to where the code runs. So at some point, Microsoft will allow those 155 bytes of code to be run.
155 bytes isn't much, but if the numbers are larger, thousands or more bytes could be run, which a virus can fit into.
Unfortunately, it seems as though the exact details are being hidden, making it impossible to detect these bogus .JPEGs.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
