My guess is that the JPEG exploit would only be used to run a virus
payload that lies elsewhere, such as in the body of a message. So you
might get a combination of an EXE with a JPEG, and by just viewing the
JPEG the EXE would be executed. Hopefully this is the case because I
don't want to have to start scanning JPEG's and wasting a ton of
additional resources to do so.
Matt
R. Scott Perry wrote:
Unfortunately this is from Microsoft's main web page, just click on the
"Critical Update" in the upper right corner of the page.
I'm still trying to figure out how a virus can hide in a JPEG?
It does appear to be legit.
The issue here isn't the common method of running programs in
extensions that weren't designed to run programs (such as .pif files
and .bat files), but instead takes advantage of a buffer overflow.
For example, the JPEG spec may say that a certain byte (which can have
a value of 0 through 255) indicates the number of subsequent bytes
that need to be stored in a buffer, but that that byte may only
contain a number up to 100. Microsoft may have trusted that spec, and
assumed that the number would only go up to 100, and allocated 100
bytes of memory -- yet if a hacker enters in a value of 255, there are
155 bytes that are going to go *somewhere* in memory. In this case,
they end up going somewhere where code runs, or where there is a
pointer to where the code runs. So at some point, Microsoft will
allow those 155 bytes of code to be run.
155 bytes isn't much, but if the numbers are larger, thousands or more
bytes could be run, which a virus can fit into.
Unfortunately, it seems as though the exact details are being hidden,
making it impossible to detect these bogus .JPEGs.
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail
mailservers since 2000.
Declude Virus: Ultra reliable virus detection and the leader in
mailserver vulnerability detection.
Find out what you've been missing: Ask for a free 30-day evaluation.
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
