Tiger Mountain Technologies

[forhire]

Recently I ran accross a link to an expoited jpeg image that demonstrates the abilty to crash unpatched systems (if you must have the link http://sylvana.net/test/AP4.jpg but remember you've been warned). Being curios I clicked it and sure enough IE in WinXP w/SP2 crashed. I then went to Microsoft Windows Updated and verified that the problem was most likely caused by Office XP... except I don't have OfficeXP... but my laptop did come pre-installed with WordXP... so I started the 53meg upgrade to OfficeXP only to find that it wouldn't update my WordXP because the update was for Office. Argh!

So I uninstall Word (because I use OpenOffice.org anyway). And try it again. Still crashed IE.

What am I going to do... switch to Firefox.

JPEG Processing (GDI+) Security Issue:
http://www.microsoft.com/security/bulle ... _tool.mspx

[forhire]

I just used Microsoft's tool on my Windows 2000 machine and it passed and returned this response:
"No affected imaging software was found on this computer."

Unfortunately the above mentioned image file cause it to crash! Maybe the GDI issue is larger than expected?

[forhire]

Image rendered perfectly in Firefox 0.9.1

[forhire]

I verified that this image is using a different exploit than the GDI+ exploit that MS is patching for. On a sample GDI+ exploited image my patched system handles it WITHOUT crashing but this begs the question... what is wrong with the other jpeg if it's not a GDI issue?

[forhire]

I updated the virus scanner to block these types of images from passing via e-mail. The good news it that I haven't noticed any of these in the wild

[forhire]

Even though windows updates says I'm fully patched I found a tool that does a complete scan:
http://isc.sans.org/gdiscan.php

You guessed it... not patched, argh!

Scanning Drive C:...
C:\Program Files\Common Files\Microsoft Shared\Ink\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
C:\Program Files\Common Files\Microsoft Shared\VGX\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
C:\WINNT\Microsoft.NET\Framework\v1.1.4322\gdiplus.dll
Version: 5.1.3101.0 <-- Vulnerable version
C:\WINNT\system32\dllcache\vgx.dll
Version: 6.0.2800.1106 <-- Possibly vulnerable (Win2K SP2 and SP3 w/IE6 SP1 only)
Scan Complete.

Where do I go from here? I'd assume that replacing the vulnerable version by hand would do the trick... or it might break a bunch more stuff.

[forhire]

I have verified that our email antivirus is detecting GDI+ exploited images as:
/var/spool/vscan/amavis/amavis-14221232/parts/msg-18625-2.jpg Contains the exploit named W32/MS04-028@expl