Jpeg vulnerabilty (please read)

[Elysian]

Pleas read this, it should concern everyone who coms in 'contact' with jpeg images; in E-mails, on web sites, stored jpegs, etc. Windows operating systems and applications can both be vulnerable.

http://www.microsoft.com/security/bu...0409_jpeg.mspx

My experiences so far; your operating system is well protected if you use Windows XP SP2. This doesn't mean applications will be protected.
In my case I had to patch Office XP, even if it had SP3.

Something that worries me more is this; how many of you use Google to look for images. Well I did today and this is the message that I received from my Firewall, in my case Sygate Personal Firewall Pro 5.5. build 2710;

[217] Microsoft Multiple Application/OS GDI+ JPEG Processing Buffer Overflow Vulnerability attempt detected

I got this message 3 times now while surfing Google images for a short time. Its severity was high enough fro the Firewall to block the Google images site for 10 minutes. See it as a warning guys.

It's only a vulnerabilty at this time, but security experts have information that several hacker groups are working hard to make use of this vulnerability (I'll see if I can find the article). They say that it's just a matter of time before Jpegs are used to hack your computer or to spread viruses.

Make sure that you use Microsoft's GDI+ Detection Tool http://www.microsoft.com/security/bu...0409_jpeg.mspx
You can also download it using the Microsoft Updates tool.

Be aware; if read several articles in which people said not to trust the tool, since they had experienced that it ignored files that actually needed to be patched.

My advice is to go to http://www.microsoft.com/technet/sec.../MS04-028.mspx and download all the updates manually.

Also make sure that you have the latest updates for your virus scanner. Yesterday I read that F-Prot v3.155b is already protecting systems again this possible thread.

I don't want to scare anyone, I just want to make that you guys takes this very serious.

Maybe it turns out all to be a hype (wouldn't be the first time), but the question is; do you want to take the risk...

One thing confuses me though; if Microsoft is patching its applications... why is it that we don't hear anything from companies like Adobe, Ulead, Macromedia, etc... makes you wonder.

[Clicker]

Thanks for the Detailed info, Elysian...

[mjm]

It's only a vulnerabilty at this time, but security experts have information that several hacker groups are working hard to make use of this vulnerability (I'll see if I can find the article). They say that it's just a matter of time before Jpegs are used to hack your computer or to spread viruses.

this is wrong, their are exploits in the wild for this now. easynews discovered it on the 28th, http://easynews.com/virus.html

computers are scary if you dont understand what you are doing. make sure you are patched and use good security practices.

my suggestions (full time system administrator for 250+ users & part time consultant for a bunch of small businesses).
DO NOT USE INTERNET EXPLORER! Firefox is a much superior browser, http://www.mozilla.org/products/firefox/
DO NOT USE OUTLOOK (or EXPRESS) FOR EMAIL! Thunderbird is a much better solution http://www.mozilla.org/products/thunderbird/
If you must use MS Office make sure it is fully patched. If you can I _highly_ suggest using OpenOffice http://www.openoffice.org/ Has about 95% of the functionality of Office and it is FREE.
DO NOT WORK AS ADMINISTRATOR!! That will help a ton with spyware and other crap.
Use a good firewall.
Use Anti-Virus if you didn't already do all this stuff on the list.

[Elysian]

this is wrong, their are exploits in the wild for this now. easynews discovered it on the 28th, http://easynews.com/virus.html.

Thanks, didn't know that yet, not important to know in my initial post, since I was already prepairing people for the risks that were/are ahead of them.

But now let's not all panic and suddenly get rid of Office, IE, Outlook (Express), etc.
Let's be honest; how many people who use private computers and install every update and use strict security of any kind have been hacked? Also a hacker who scans an IP range and finds 1 or 3 computer at one location is not that interested. That doesn't mean of course that you don't need to protect yourself as good as possible, but that doesn't mean we all need to go into extremes like switching everything to Linux (although I wonder if that system is more secure...) and no need for all these applications that MJM mentioned; they aren't secure either, trust me on that and if a hacker wants to get in, then he WILL get in.

I'm a heavy computer user and I was only infected once in 17 years with a virus. Big deal.
And those users who have have a safe backup, don't have to worry at all. Just clean up the mess if something goes wrong; restore your OS image and restore your data, should take 30 min at the most for the majority of home users (98% unattended)

I'm not talking here about what's best for a company; my thread is targeted at private users.

[mjm]

But now let's not all panic and suddenly get rid of Office, IE, Outlook (Express), etc.

seriously though, if you care about your system/data you will not use those applications. if you dont mind cleaning up spyware, adware, virii, etc keep on using the same old stuff ;)

Also a hacker who scans an IP range and finds 1 or 3 computer at one location is not that interested.

Are you serious?? A 'hacker' will take on any target they like, you can trust me on that.

A quick google search for "windows zombie systems spam" http://www.google.com/search?q=windo...e+systems+spam

'Hackers' are taking over systems to send out spam. They are taking over systems like mine and yours.

...switching everything to Linux (although I wonder if that system is more secure...)

Linux is designed for security (amongst other things). A default Linux install is many times more secure than a Windows install.

no need for all these applications that MJM mentioned; they aren't secure either, trust me on that

they aren't secure? can you point me to some references please. i am very interested to learn about what you are talking about here.

a hacker wants to get in, then he WILL get in.

100% true

I'm not talking here about what's best for a company; my thread is targeted at private users.

A company is just lots of end users, what is the difference?

[Trevor Ash]

This is why I've resigned with my company. Thanks for reminding me that computers are the devil.

[Elysian]

MJM, all I can say is that you're extremely exaggerating.

I'm not going to say that any of these Microsoft programs are 100% safe, but as long as you know what you're doing you can be pretty safe, because that's what we both agreed; we can never be 100% safe.

Microsoft gave the people a lot of tools and the more tools you have and also the more options you have, the higher the risks. You can strengthen the security by disabling a lot of these options or securing the system in several areas. Users are either not interested, don't have the knowledge or don't want to limit the system in some areas.
Research has proven several times that most of the security breaches are related to bad security management, either by an end user or system administrator.

All alternatives you mention are not always safe either.
Every member on this site can check this by visiting http://www.securityfocus.com/bid/title/ and selecting the title of every program you mention. You totally ignore these facts, but at the same time you're writing 3 times in capital letters "DON'T USE THIS". That's a way to give people a false sense of security, not to mention that users will still be able to screw up the security of these alternatives by their wrong actions.

Whether a default Linux install is many times more secure than a Windows install is your personal opinion. I meant what I said when I wrote "I wonder whether that OS is more sure".
I only expressed my doubts, unlike you who clearly tries to convince everybody that Linux is many times more secure than Windows.

Here, this is some research done by a respected company like Forrester Research Inc;

http://www.eweek.com/article2/0,1759,1557459,00.asp

Please tell the members who they should listen to: you or Forrester?

See, you're the one who's saying that Linux is more secure. I'm however more careful with statements like that.

Your comment that Linux is more secure than Windows has never been proven. What is a fact though is that hackers and virus makers will always target the most popular operating system. If we believe you, then we should all switch to Linux and open source applications (open source is a blessing for hackers...) and once Microsoft is dead and forgotten we have solved all the security issues that Microsoft caused all those years.
Yes, I admit, it sounds like a dream...

"A company is just lots of end users, what is the difference?"

Seriously, I have to tell a network administrator what the different priorities are of a company and a private user?

And btw... I never had the need to post my portfolio to give my words more weight.
Let me say that (looking at my own profession) that you've met your match...

Dear members, ignore my discussion with MJM and stay focused on the fact that this Jpeg vulnerability can cause a lot of havoc. Please keep that in mind and that was the whole intention of my thread, although I knew that I would see replies of Microsoft bashers.

So in the interest of the board it's best to stop continuing this discussion .

Good luck and if you have more questions, feel free to page me.

[mjm]

i guess we can agree to disagree on this one....

everyone, make sure you patch your software and dont run as admin. you will save yourself many many many headaches.

[another view]

DO NOT WORK AS ADMINISTRATOR!!

No kidding! I'm not one myself but have a couple friends that are, they'd agree.

I keep hearing from people who know a lot about Windows that Linux is really a better way to go, but it seems to me that it's more "hands on". I don't really want to spend more time on the computer and I'm not an expert. Is Linux for someone like me?

[mjm]

I don't really want to spend more time on the computer and I'm not an expert. Is Linux for someone like me?

if you aren't willing to spend some time learning a new OS then i would say no. If you have an extra computer you can 'play' with a distro on a different system.

[Sebastian]

No kidding! I'm not one myself but have a couple friends that are, they'd agree.

I keep hearing from people who know a lot about Windows that Linux is really a better way to go, but it seems to me that it's more "hands on". I don't really want to spend more time on the computer and I'm not an expert. Is Linux for someone like me?

Linux? Probably not, but there is a cool little version of Unix floating around by the name of OS X...

Linux is more secure. The numbers for vulnerabilities are actually pretty much the same on OS X as they are on Winblows, but Apple is MUCH quicker about acknowledging and patching problems.

That, and the fact that I am IN LOVE with the usability of OS X is why I'm about to pawn off a bunch of my PCs and get a PowerBook. Linux won't be desktop-ready until there is a major push by s distributor to get games and application support. I don't think there's money in desktop Linux yet, and that's why most companies like Red Hat are aiming for the corporate clients.

[Todd Patten]

Isn't watching computer geeks argue fun?

I find some Linux users kind fo funny. They run around thinking that there is this giant conspiracy against all of society and it's run my Microsoft! Damn -- if someone would simply make Linux as easy and user friendly as Windows, such that the average Joe can install a network card and not have it take 4 hours to get it working, I'd be using Linux everyday. However, I have 10 years experience in software and IT and my Linux machine sits dormant at home because I don't have the time to invest in it.

That said, I have given up on Microsoft Outlook, Outlook Express, and Internet Explorer. I use Firefox and Thunderbird and find them to be every bit as good, if not better, that the MS products and I am absolutely more secure. I LOVE tabbed browsing in Firefox. I've also started to explore OpenOffice, but have found some features lacking. Simple font rendering is not as good as MS -- particularly when converting to PDF.

Elysian -- home users should absolutley move to fortify their machines as much as they possibly can. If not just for the desire to keep the computers running smoothly. In recent months I have had no less than a dozen friends and family ask me to help them straighten out their machines because they have become usuable due to spyware. Not viruses, by simple adware and spyware. Some of them were nailed because of apps like Kazaa, but most were nailed simply because of the "Install On Demand" feature that comes turned on by default with IE.

In most of these cases, rather then spend hours trying to change registry settings and deleting files, we reformatted the machines. While you make it sound like this is no big deal, my friends and family lost tons of data and applications that were very useful and important to them. Should they have doing backups? Yeah, but lets get real. These are users who have no idea where they are saving their data.

Moreover, the last thing I want to do is install yet another service pack from Microsoft.

This latest development with jpeg's and their vulnerability in MS applications just reinforces my decision to stop using the MS products. The OS is friendly and easy to use, but their apps leave a lot to be desired when an innocent screw up can cause you to lose all your data. Imagine losing months or years worth of photo's?!? Ugh.

So, I'm with Sebastion, I'm moving towards the Mac OS. A G5 is my next purchase. Having Unix as the back end OS is simply too appealing! Throw in the beautiful interface and I'm sold.

[FadderUri]

1) Microsoft is most vulnerable, because they have the most software out there, and it's all designed to integrate into the OS. When a flaw is detected, it's magnified because of this. You can buy a PC, have nothing but MS software on it, and it will do almost everything you need. I have 4 Win2K boxes at home that I use.

2) Linux and Unix are NOT a panacea. They both have serious security flaws loaded up out of the box. If you don't believe it, check out the websites for the various distributions. In particular, check out the patch pages. I run 2 different distros at home, and I check for patches on a weekly basis.

In my professional life (until next week, at least ), I am a Unix System Admin. Working with mostly Sun and HP-UX. We get security updates and patches on a weekly basis, many of which are very severe.

3) Macs are the safest at the moment for one reason. There are so few of them, it's not worth the effort of writing viruses and worms for them. The impact wouldn't be felt hard enough to stroke the ego of the a$$hole sitting in Asia/Eastern Europe writing this crap.

Bottom line - WHATEVER you're running, make sure you have the latest security fixes, and up to date virus defs. And if you're running broadband, a hardware firewall built into your router is, in my opinion, the safest way to keep intruders out.

Just my .02

Fadder Uri

[Spike]

When I read last week about jpegs now being able to be used for viruses, I was really bummed out.

I agree completely with Fadder:

1) Microsoft is most vulnerable, because they have the most software out there, and it's all designed to integrate into the OS.
...
3) Macs are the safest at the moment for one reason. There are so few of them, it's not worth the effort of writing viruses and worms for them.

That is why I never use Outlook or Outlook Express. Of course all my friends who do, and who have me in their address books, don't help matters when it comes to email viruses. I hadn't thought of switching browsers. Is IE a major weakness? Right now at home we've got a hardware firewall, a software firewall, and virus protection / spyware software.

Spike

[Sebastian]

Is IE a major weakness?

The Department of Homeland Security suggests you stop using it...

besides the fact that it is no longer being developed, and for years has been gravely underfeatured and buggier than many of its competitors.

Firefox is the way to go. Steady updates, fast patches, and tabbed browsing is the....well, it's great.

[Spike]

Well, if the DoHS says so... then forget it! I've never heard of Firefox, sounds violent. No wonder the DoHS would prefer it to "Explorer." ;) I really don't care what Browser I use as long as it works. I used to use Netscape simply because it wasn't from Microsoft. But it got a bit too buggy.

OK, off to do some Firefox research.

Spike

The Department of Homeland Security suggests you stop using it...

besides the fact that it is no longer being developed, and for years has been gravely underfeatured and buggier than many of its competitors.

Firefox is the way to go. Steady updates, fast patches, and tabbed browsing is the....well, it's great.

[Sebastian]

http://redmondmag.com/features/artic...itorialsid=439