<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft's GDI Detetection Tool faults

Everyone better start getting the good patch soon before the new Sasser worm 
begins to spread! It's only a matter of time...
I have some things to say to you, and others. Then I will elaborate on _yet_another_ JPEG vulnerability. 

I'll reply in the following order:
1. Patches are good.
2. Doomsday worms.
3. Media hype.
4. *New* JPEG vulnerability.
   (Let's hype it!)
Although installing patches and checking for new patches is sound advice, and although this vulnerability has potential for harm, I just don't get it.
Why go around spreading fear of a "doomsday worm"? If a worm shows up, it will. The social engineering risk of this vulnerability is considerably higher/easier than that of others in the past. Yet, there were similar vulnerabilities that ended up not "working out" for the bad guys.
Are "viruses" as a group going to employ this? Absolutely. I am positive of that fact.
Is it going to be huge? It might, I just don't see any reason to commit to it. It might just as simply be forgotten by next month's MS security patch release.
Picking out one security issue a month and hyping it is bad policy, and I wish security experts would stop playing along with the media on this.
Unlike some other vulnerabilities, this one is relatively easy to cope with in a "virus scan". Although compressed and thus problematic, the JPEG format is very orderly and simple. Any tampered JPEG would be discovered from a distance if somebody just looked.
AV and IDS tools detect it, and people download the patches. That's good enough and as good as anything we can do.
Those who do not install, update and use an AV, or fail to install patches will fall, as they always do. But how is that different than with any other worm?
Malware will appear that will use this, and in fact - a creation kit already appeared this Friday, but please.. please.. I beg of you (not you specifically) - stop the media hype of the situation.
People should be aware of the risks, protect themselves and not believe everything they see online. Throwing populations into a fit over this worm or that may be profitable, but it sure as hell won't solve the main issues. 
That's all just wishful thinking, though.
There was a second problem with JPEGs, discovered by Maik Morgenstern, AV-Test.org. They found a picture that was tampered to kill IE, different from the problem disclosed in MS04-028 and discovered a year ago (!!).
(a year.. makes you wonder, did they wait to release SP2 and what else is waiting for us that miraculously doesn't effect SP2?).
Unlike that vulnerability, this one works on SP2 but doesn't seem to be exploitable.
According to AV-Test.org/de, this was found in-the-wild. I am not their spokesman, although I am rather enthusiastic about their work. I only wish to stress the point that there is life beyond the monthly media-pick. 

        Gadi Evron.