Re: [Vmyths.com ALERT] Hysteria predicted for 'JPEG Processor' vulne
From: Mike Hays (cpunews_at_HOTMAIL.COM)
Date: 09/16/04
- Previous message: Mikael Rönnbäck: "Re: Alert: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Sep 2004 13:27:38 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
While I applaud your efforts at encouraging everyone to remain calm
regarding the GDI+ vulnerability, and I am especially thankful that you
clarified that the problem is with GDI+ and _not_ with JPEG, I have problems
with one of your suggestions:
"Vmyths urges you to download the patch, install it, and get on with your
life."
The problem is that there is no single patch for this vulnerability. That
makes it difficult for companies to implement the patch and audit for
compliance (not to mention the home user). That in turn makes this
vulnerability potentially valuable as an attack vector. It may not even
make a huge splash at the onset, but it could be around for a while, and a
malicious user could see that as an opportunity.
So, while the sky isn't falling, I think Microsoft did a poor job on the
release of this security bulletin. I think they need to do the following to
correct this:
*There needs to be a Microsoft tool that really detects and reports on the
presence of the vulnerability, the vulnerable application when it can, and
the path to the DLL in third party application program folders when it can't
(it would be nice if it could run remotely and from a command line, but even
a interactive version would be helpful)
*Microsoft should release a single patch that corrects all vulnerable
Microsoft applications at once (and it should not be buried in service packs
that require additional testing before deployment)
*A knowledge base article should also be set up to list third party
applications that are independently susceptible to this problem with links
to the vendor's site for a patch or corrected version of the application.
(The web page for this article should be referenced by the detection tool if
it finds third party vulnerable applications)
As this is a critical vulnerability, and Microsoft deems it as suchl, they
need to invest the resources in making it as easy as possible to correct the
issue upfront. Otherwise we could end up with another SQL Slammer.
Sincerely,
Mike Hays CISSP
cpunews@hotmail.com
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: Mikael Rönnbäck: "Re: Alert: Microsoft Security Bulletin MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
