Vmyths.com Virus Hysteria Alert
Truth About Computer Security Hysteria
{15 September 2004, 01:55 CT}
CATEGORIES: (1) Misconceptions about a real computer security threat
(2) A historical perspective on recent hysteria
Microsoft has issued a "critical" alert regarding a "buffer overrun" in software it
uses to display JPEG images. In theory, if you try to view a specially crafted JPEG
file, it could take over your computer and do whatever it wishes. Microsoft has
released a security patch to fix this buffer overrun. Vmyths urges you to download
the patch, install it, and get on with your life.
Buffer Overrun in JPEG Processing Could Allow Code Execution:
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
Vmyths believes media outlets will POUNCE on this story, because (a) Microsoft
announced a "critical" vulnerability in the way its software reads an ubiquitous file
type, and (b) computer emergency response teams have issued their own alerts. Watch
for breathless speculation and hysteria in the coming days. Some na�ve system
administrators may tell reporters they'll delete JPEG files from emails and refuse to
let web browsers display JPEG files, "strictly as a precaution." (We don't expect
anyone will implement this Draconian measure for very long. We believe too many users
will clamor against it.)
Remember this when virus hysteria strikes:
http://Vmyths.com/resource.cfm?id=31&page=1
Microsoft's "JPEG Processor" vulnerability manifests itself as a buffer overrun in a
piece of software. It is NOT caused by the JPEG file format itself. Buffer overruns
are extremely common: you'll find them in almost every large software application
(even antivirus software). They can create situations where even a filename itself
can wreak havoc. By definition, every buffer overrun will eventually join its
brothers in the land of obscurity.
Buffer overruns in antivirus software:
http://zdnet.com.com/2100-11-515441.html
The "Code Red" worms successfully exploited a buffer overrun in 2001, and Vmyths
believes some reporters will allude to this -- as if to imply a horrific JPEG attack
may be just around the corner. Buffer overruns are extremely common, yet they only
rarely ever get exploited. Researcher Georgi Guninski, for example, publishes "proof
of concept" exploits for many of the "critical" buffer overruns he finds. Guninski's
exploits have never made a splash despite his best efforts.
A little history -- this isn't the first time an image file format has come under
fire. An April Fool's joke targeted JPEG files a decade ago:
1994 April Fool "JPEG virus" alert:
http://www.2meta.com/april-fools/1994/JPEG-Virus.html
In 2001, researchers claimed a specially crafted GIF file could be used to cause a
buffer overrun in Microsoft Outlook. It was purely a coincidence that a GIF file
could exploit this threat.
In 2002, the "Perrun" virus added software to the computers it infected, then it
modified the Windows registry so future viruses could "ride" inside a JPEG file. The
virus writer could have chosen to do the same thing with GIF files or even TEXT files.
Antivirus vendor Sophos urged restraint over the Perrun virus, saying "some
anti-virus vendors may be tempted to predict the end of the world as we know it, or
warn of an impending era when all graphic files should be treated with suspicion.
Such experts should be ashamed of themselves."
McAfee gets slapped in 2002 for "JPEG virus" alert:
http://www.sophos.com/virusinfo/articles/perrun.html
Vmyths suspects a hoax virus alert will arise with instructions to delete the JPEG
registered file type in Windows. (It's practically a self-fulfilling prophesy.) Such
a hoax will play on the user's misconception of the threat. Don't take unsolicited
advice from people who are NOT experts. Users will self-damage their operating
systems if they delete the JPEG registered file type.
False Authority Syndrome
http://Vmyths.com/fas/fas1.cfm
Stay calm. Stay reasoned. And stay tuned to Vmyths.
Rob Rosenberger, editor
http://Vmyths.com
[EMAIL PROTECTED]
(319) 646-2800
Acknowledgements:
Phone call from Kevin Poulsen, SecurityFocus
CATEGORIES: (1) Misconceptions about a real computer security threat
(2) A historical perspective on recent hysteria
--------------- Useful links ------------------
Common clich�s in the antivirus world
http://Vmyths.com/resource.cfm?id=22&page=1
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
