Re: Web based email issues
From: Colonel Flagg (colonel_flagg_at_NOSOUPFORJ00internetwarzone.org)
Date: Tue, 16 Sep 2003 21:42:41 -0400
In article <EcO9b.145391$3o3.10400837@bgtnsc05-
news.ops.worldnet.att.net>, Lohkee@worldnet.att.net says...
> > That is somewhat correct, however, you can take a workable jpeg, embed
> > data in to it and it will render "under certain circumstances".
> > The point is, .jpg is no longer to be considered "safe". Period.
> There is no somewhat about it (unless you can post a displayable jpeg that
> also runs executable code). Again, this would be a function of a design flaw
> (intentional or otherwise) in the underlying OS or rendering application, or
> if you really want to reach, using an additional executable as in the recent
> "proof of concept" virus submitted to McAfee (in which case it is not an
> executable jpeg, rather a "jepg" file that carries instructions specific to
> the companion executable). Jpegs have a very specific file format. See JPEG
> International Standard. Anyhting else is not a jpeg regardles of the file
> extension. Rendering apps that do not properly check header format and
> bounds do not magically make jpegs unsafe or "executable," they just show
> that whoever wrote the rendering application was a very sloppy programmer.
> No matter which way you slice it, jepgs are not unsafe or executable.
> Something else might, with an jpeg extension, be both, but then, in that
> case it is not really a jpeg.
See, you're only looking at this from one side, the administrator's
side. You're looking at it as an .exe renamed as .jpg and being ran on
the local machine. This makes absolutely no difference to the average
computer user. Time and time again, folks "in the know" have and are
proclaiming "jpegs" (.jpg) to be completely safe, this is misleading. It
should never be said that _any_ file is totally safe, _everything_ has
the potential to do harm. Average users don't know the difference.
Users, in general, are computer stupid.
Yes, it takes the underlying OS or at the very least, another
application to "launch" the data contained in the infected, yet viewable
jpeg, however, without the OS, without a vulnerable daemon, without an
open port, without a.... or a..... no virus, trojan, worm, malware, etc.
".pdf's" were once safe, ".mp3's" also. Guess what? ".jpg's" are no longer safe.
"..."scenes2.jpg" links to another JPG file. While these images are
being displayed the trojan and .VBS files are run."
At the end of the above .pdf, you will note:
8) Counter Measures for such kind of activity:
"..Any incoming or outgoing data should be checked for media files such
as .JPG, .GIF etc and programs which overwrite the data embedded in them
without changing their appearance significantly should be employed."
"...For Example : Image files with unusually lengthy comments should be
truncated in their comment part."
"...This is a generic detection of a false .JPG file. A false .JPG file
is a file with a .JPG extension that is not a JPEG file type, but rather
a document that contains script, embedded objects, or an IFrame."
-- Colonel Flagg http://www.internetwarzone.org/ Privacy at a click: http://www.cotse.net Q: How many Bill Gates does it take to change a lightbulb? A: None, he just defines Darkness? as the new industry standard..." "...I see stupid people."