Re: Web based email issues

From: Colonel Flagg (colonel_flagg_at_NOSOUPFORJ00internetwarzone.org)
Date: 09/17/03

  • Next message: BC: "Re: Which Router for VPN and Webhosting"
    Date: Tue, 16 Sep 2003 21:42:41 -0400
    
    

    In article <EcO9b.145391$3o3.10400837@bgtnsc05-
    news.ops.worldnet.att.net>, Lohkee@worldnet.att.net says...

    > > That is somewhat correct, however, you can take a workable jpeg, embed
    > > data in to it and it will render "under certain circumstances".
    > >
    > > The point is, .jpg is no longer to be considered "safe". Period.
    > >
    > >
    >
    > There is no somewhat about it (unless you can post a displayable jpeg that
    > also runs executable code). Again, this would be a function of a design flaw
    > (intentional or otherwise) in the underlying OS or rendering application, or
    > if you really want to reach, using an additional executable as in the recent
    > "proof of concept" virus submitted to McAfee (in which case it is not an
    > executable jpeg, rather a "jepg" file that carries instructions specific to
    > the companion executable). Jpegs have a very specific file format. See JPEG
    > International Standard. Anyhting else is not a jpeg regardles of the file
    > extension. Rendering apps that do not properly check header format and
    > bounds do not magically make jpegs unsafe or "executable," they just show
    > that whoever wrote the rendering application was a very sloppy programmer.
    > No matter which way you slice it, jepgs are not unsafe or executable.
    > Something else might, with an jpeg extension, be both, but then, in that
    > case it is not really a jpeg.
    >
    > Lohkee!
    >

    See, you're only looking at this from one side, the administrator's
    side. You're looking at it as an .exe renamed as .jpg and being ran on
    the local machine. This makes absolutely no difference to the average
    computer user. Time and time again, folks "in the know" have and are
    proclaiming "jpegs" (.jpg) to be completely safe, this is misleading. It
    should never be said that _any_ file is totally safe, _everything_ has
    the potential to do harm. Average users don't know the difference.
    Users, in general, are computer stupid.

    Yes, it takes the underlying OS or at the very least, another
    application to "launch" the data contained in the infected, yet viewable
    jpeg, however, without the OS, without a vulnerable daemon, without an
    open port, without a.... or a..... no virus, trojan, worm, malware, etc.
    would work.

    ".pdf's" were once safe, ".mp3's" also. Guess what? ".jpg's" are no longer safe.

    Proof:

    http://vil.nai.com/vil/content/v_99299.htm

    "..."scenes2.jpg" links to another JPG file. While these images are
    being displayed the trojan and .VBS files are run."

    http://www.g-con.org/speakers/Proof_concept_parasites/termite.pdf

    At the end of the above .pdf, you will note:

    8) Counter Measures for such kind of activity:

    "..Any incoming or outgoing data should be checked for media files such
    as .JPG, .GIF etc and programs which overwrite the data embedded in them
    without changing their appearance significantly should be employed."

    "...For Example : Image files with unusually lengthy comments should be
    truncated in their comment part."

    Fake JPG's:

    http://vil.nai.com/vil/content/v_99576.htm

    "...This is a generic detection of a false .JPG file. A false .JPG file
    is a file with a .JPG extension that is not a JPEG file type, but rather
    a document that contains script, embedded objects, or an IFrame."

    -- 
    Colonel Flagg
    http://www.internetwarzone.org/
    Privacy at a click:
    http://www.cotse.net 
    Q: How many Bill Gates does it take to change a lightbulb?
    A: None, he just defines Darkness? as the new industry standard..."
    "...I see stupid people."
    

  • Next message: BC: "Re: Which Router for VPN and Webhosting"