Re: [Declude.Virus] Patch Tuesday and graphic images
Thanks Andrew! -Nick Colbeck, Andrew wrote: Today is Microsoft Patch Tuesday for July 2005. One of the bulletins is: http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx Which fails to indicate which graphics formats are affected by this vulnerability. It does mention that abuse thereof is indeed in the wild. Presumably on websites, but if you want to make sure that it is not happening in email, you will want to remove these optimizations from your Declude virus.cfg file: SKIPEXT JPG SKIPEXT JPEG SKIPEXT PNG SKIPEXT TIF SKIPEXT TIFF This contradicts my posting in May 2005 that Scott Perry said that JPG skipping was ok vis a vis MS04-028 Q833987 because Declude Virus checks for corrupt JPG regardless of the SKIPEXT behaviour. That is, unless the Declude code is so good that it checks all three of these formats for rigorous adherence to their standards such that it protects the Microsoft libraries! Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Patch Tuesday and graphic images
...and hope that Declude or the AV-Engine will catch this vulnerability as soon as possible. I completely agree. As a publishing company we receive lots of large jpeg files and the thought of having to virus scan all those, makes my mail server want to run and hide. I'd like to see a comment from Declude. But they seem to be in their information cloak cycle again. - Original Message - From: "Markus Gufler" <[EMAIL PROTECTED]> To: Sent: Tuesday, July 12, 2005 3:52 PM Subject: RE: [Declude.Virus] Patch Tuesday and graphic images Andrew thanks for the info ...you will want to remove these optimizations from your Declude virus.cfg file: SKIPEXT JPG SKIPEXT JPEG SKIPEXT PNG SKIPEXT TIF SKIPEXT TIFF ... and hope that Declude or the AV-Engine will catch this vulnerability as soon as possible. As much as I can understand from reading the KB-Article it's something similar to the GDI-Exploit but not the same. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
RE: [Declude.Virus] Patch Tuesday and graphic images
Andrew thanks for the info > ...you will want > to remove these optimizations from your Declude virus.cfg file: > > SKIPEXT JPG > SKIPEXT JPEG > SKIPEXT PNG > SKIPEXT TIF > SKIPEXT TIFF ... and hope that Declude or the AV-Engine will catch this vulnerability as soon as possible. As much as I can understand from reading the KB-Article it's something similar to the GDI-Exploit but not the same. Markus --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
Re: [Declude.Virus] Patch Tuesday and graphic images
They really didn't give enough information that would allow one to figure out the extent of the vulnerability here. Only RGB and CMYK images should have ICC profiles, but the programs that open such images will also open up images that have set pallets such as GIF's and BMP's. I don't know whether or not their software might try to open an ICC profile in a format in which it is not supported (or useless for). So I suppose that it is a possibility that even GIF's could be affected. It would seem to be minimally prudent to scan JPG, JPEG and PNG since these are the most likely to be exploited and are almost universally supported in E-mail clients and Web browsers. The other ones are rare in E-mail so it wouldn't cause hardly any extra load to scan them. Scanning GIF's on the other hand might be a noticeable extra load and a real shame. It's quite unbelievable that Microsoft did this twice. We're quite lucky that the JPG viruses never started being spread by E-mail, but who knows, maybe that was not very practical to exploit and maybe this one is. It's certainly an equation for disaster, especially in the fact that it was previously reported that images were parsed by the Web browser before they were written to the cache where an antivirus program could scan them. That is hearsay until I see it in action though. Matt Colbeck, Andrew wrote: Today is Microsoft Patch Tuesday for July 2005. One of the bulletins is: http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx Which fails to indicate which graphics formats are affected by this vulnerability. It does mention that abuse thereof is indeed in the wild. Presumably on websites, but if you want to make sure that it is not happening in email, you will want to remove these optimizations from your Declude virus.cfg file: SKIPEXT JPG SKIPEXT JPEG SKIPEXT PNG SKIPEXT TIF SKIPEXT TIFF This contradicts my posting in May 2005 that Scott Perry said that JPG skipping was ok vis a vis MS04-028 Q833987 because Declude Virus checks for corrupt JPG regardless of the SKIPEXT behaviour. That is, unless the Declude code is so good that it checks all three of these formats for rigorous adherence to their standards such that it protects the Microsoft libraries! Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com. -- = MailPure custom filters for Declude JunkMail Pro. http://www.mailpure.com/software/ = --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
[Declude.Virus] Patch Tuesday and graphic images
Today is Microsoft Patch Tuesday for July 2005. One of the bulletins is: http://www.microsoft.com/technet/security/Bulletin/MS05-036.mspx Which fails to indicate which graphics formats are affected by this vulnerability. It does mention that abuse thereof is indeed in the wild. Presumably on websites, but if you want to make sure that it is not happening in email, you will want to remove these optimizations from your Declude virus.cfg file: SKIPEXT JPG SKIPEXT JPEG SKIPEXT PNG SKIPEXT TIF SKIPEXT TIFF This contradicts my posting in May 2005 that Scott Perry said that JPG skipping was ok vis a vis MS04-028 Q833987 because Declude Virus checks for corrupt JPG regardless of the SKIPEXT behaviour. That is, unless the Declude code is so good that it checks all three of these formats for rigorous adherence to their standards such that it protects the Microsoft libraries! Andrew 8) --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus".The archives can be found at http://www.mail-archive.com.
