They really didn't give enough information that would allow one to
figure out the extent of the vulnerability here. Only RGB and CMYK
images should have ICC profiles, but the programs that open such images
will also open up images that have set pallets such as GIF's and BMP's.
I don't know whether or not their software might try to open an ICC
profile in a format in which it is not supported (or useless for). So I
suppose that it is a possibility that even GIF's could be affected.
It would seem to be minimally prudent to scan JPG, JPEG and PNG since
these are the most likely to be exploited and are almost universally
supported in E-mail clients and Web browsers. The other ones are rare
in E-mail so it wouldn't cause hardly any extra load to scan them.
Scanning GIF's on the other hand might be a noticeable extra load and a
real shame.
It's quite unbelievable that Microsoft did this twice. We're quite
lucky that the JPG viruses never started being spread by E-mail, but who
knows, maybe that was not very practical to exploit and maybe this one
is. It's certainly an equation for disaster, especially in the fact
that it was previously reported that images were parsed by the Web
browser before they were written to the cache where an antivirus program
could scan them. That is hearsay until I see it in action though.
Matt
Colbeck, Andrew wrote:
Today is Microsoft Patch Tuesday for July 2005.
One of the bulletins is:
http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx
Which fails to indicate which graphics formats are affected by this
vulnerability. It does mention that abuse thereof is indeed in the
wild. Presumably on websites, but if you want to make sure that it is
not happening in email, you will want to remove these optimizations from
your Declude virus.cfg file:
SKIPEXT JPG
SKIPEXT JPEG
SKIPEXT PNG
SKIPEXT TIF
SKIPEXT TIFF
This contradicts my posting in May 2005 that Scott Perry said that JPG
skipping was ok vis a vis MS04-028 Q833987 because Declude Virus checks
for corrupt JPG regardless of the SKIPEXT behaviour. That is, unless
the Declude code is so good that it checks all three of these formats
for rigorous adherence to their standards such that it protects the
Microsoft libraries!
Andrew 8)
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
