JPG "trojan" (wtf?)

So I’m seeing various headlines on google news about “infected JPGs” showing up on newsgroups and “it’s not really a virus but it could easily be modified into one” and how this is a terrible new security vulnerability etc. etc. etc. but not a one of them bothers to actually explain how the vulnerability in question works.

I suspect I already know the answer to this, but is this just another stupid thing with Internet Explorer that won’t affect me at all as long as I use a generic 3rd party display utility that doesn’t try anything complicated and wouldn’t understand the s3krit c0d3z except as corruption to be discarded?

My understanding is that this is a bug with Microsoft’s GDI+ library, and that consequently viewing an infected jpeg in any capacity will resulting in what you are describing. To make matters worse, pre-XP, Microsoft recommended multiple copies of the GDI+… one per application. However, Microsoft Update seems to have an autoscan that will search and replace any copies of the library it finds on your computer. But until you do that, no, you are not protected simply by not using IE.

The autoscan inexplicably misses copies. Make sure you manually scan the entire drive for Gdiplus.dll too.

The reason no one ever explains these things in the news is because the reporters, the editors, and even the consultants they interview tend not to understand them themselves.

I don’t even understand it fully, but I shall attempt to explain and reference some good info.

That page offers up some info on the libpng vulnerabilities that were found in early Augst. These vulnerabilities took advantage of the rendering library for .gifs and .png image files.

So, some brilliant little geek with lots of time on his hands reasoned that, because this sort of thing worked on the implimentations of gif rendering in just abouyt every browser and operating system, why not the .jpg rendering libraries?

And, of course, the only operating system he managed to find vulnerabilities in was…


Don’t fret. Much of these security threats are BS anyway. They’re not terribly dangerous to a simple end user. Just like yoru article said, this vuln “COULD” be used to create a trojan.

Anyone who’s taken the time and effort to actually write such a trojan would only do two things with it:

  1. keep it to himself and use it to own very specific computers for personal gain

  2. put it out in a script for the kiddies to bandy around and cause havok, thus insuring that his vulnerability and code are rendered useless as all the major OS manufacturers patch the hole.

Security is fairly simple, actually: Don’t run anything you don’t trust, never download files you don’t trust, and never let anyone you don’t trust use your computer. Unless you’re a major bank, you should be OK. No one really has much vested interest in hacking someone’s personal computer unless there’s a vendetta involved. And if you do get hacked, it’s probably just by some script kiddie who pressed a button and owned 500 other machines along side yours.

The short answer is “buffer overflow lets the attacker execute arbitary code - and own your box - or crash the system.”

This is a significantly more annoying kind of vulnerability since it comes in something everyone thinks is safe - displaying an image.

I’ve had my anti-virus pop twice about this while browsing forums. It’s out there.

Does this work on systems with the NX bit and SP2? I thought that tech was supposed to prevent buffer overflow attacks…