Confirmed on WinXP SP2, all Windows updates, all Office updates. OK in Firefox (1.0PR), but crashes IE 6. And it's not even a goatse link: http://sylvana.net/test/AP4.jpg [sylvana.net]
The fact that a fully patched IE still crashes on this JPEG (and others, I'm sure) is inexcusable.
I can somewhat understand that their previous JPEG implementation had problem(s) with unchecked input. In a perfect world, programmers would be better at validating input, but we all know the rush to get SW out the door. These bugs can (unfortunately) slip by.
However, after a highly public and exploitable flaw is found in their JPEG parsing, they should have made damn sure that the 'fixed' version is rock
This is standard fare for Microsoft. They patch the particular exploit, rather than the vulnerability that allowed it.
Fatal mistake, and one they make VERY often. Remember all of the RPC viruses we had one after the other? Same vulnerability, different exploits, one bandaid after another.
I despise it when doctors treat symptoms rather than the underlying problem. This is standard operating procedure for Microsoft.
Can you PROVE this JPG that crashes my IE on my fully patched xp system crashes *because* of this vunerability though? I mean, it could crash it if it WAS fux0red right? This isn't exactly proof of an exploit is it?
It opens in my picture & Fax viewer if I save it to my desktop and double-click it there...
I'm pretty sure this is a different flaw. Whether its exploitable or not, I don't know, but I've just run the proof of concept code being discussed in this article on my system and it does not cause a crash. Your image does. This is an unpatched Win2K system, so it isn't a case of MS doing a workaround that doesn't catch some cases of the problem. You may want to forward that image to MS's IE team, and let them analyse what's wr
unlike many people out there, I don't bother to keep my system bleeding edge up to date. I'm running winxp with SP2 and IE 5.5. (will be moving to firefox because i like it better than Opera) And as far as I can tell... I'm not exposed to this newest bug.
It seems like every new "update" from MS creates a whole host of new security prolems to worry about.
And i couldn't seem to find a full copy of the proof of concept, just some edited versions:o(
Here's the copy I tested with (compiles with just about any C compiler, I used MS Visual C++ with the command line "cl/MD exploit.c"). I've disassembled the shell code to be sure it does what's claimed, and it seems legit to me.
// Lameness filter doesn't like C code.... //aksdnckdnaslcjknasdcjknasdlcnjklasdncj klasdnckldnscjkldnaslcjkansdjklcnasljkcnaalksdjncl ajksdnclka //asdjkcnhladksjcnklasdjcnklasdjnclajk sdncklasndlckjansdcjknalsdkclaksdjcnlajkdnclaknldj klaegfjkaehg //12345kjbfjwerv7890werw14hbfwjf
This file also crashed Netscape 3.04 on Win98, in fact it BSOD'd the system (a very rare event).
I tried viewing it with QuickPictureViewer (an old DOS viewer) and in its B/W preview, it shows the file as corrupted all to hell, and won't do the full display at all.
This has something to do with the Start of Scan (SOS) block. From here [funducode.com]:
SOS (Start Of Scan) marker:
Marker Identifier [2 bytes]
_0xff, 0xda identify SOS marker
Length [2 bytes]
_This must be equal to 6+2*(number of components in scan).
Number of Components in scan [1 byte]
_This must be from 1 to 4 (otherwise error), usually 1 or 3
Each component [2 bytes]
_For each component, read 2 bytes. It contains:
__Component ID [1 byte]
___1=Y, 2=Cb, 3=Cr, 4=I, 5=Q
__Huffman table to use [1 byte]
___bit 0..3 :
THIS HAS NOT BEEN FIXED, url inside (Score:5, Interesting)
will crash IE on an updated xp sp2 system.
Re:THIS HAS NOT BEEN FIXED, url inside (Score:5, Insightful)
Re:THIS HAS NOT BEEN FIXED, url inside (Score:1, Funny)
Opera is immune too (Score:1)
That's for me the best browser ever.
Re:THIS HAS NOT BEEN FIXED, url inside (Score:2, Insightful)
The fact that a fully patched IE still crashes on this JPEG (and others, I'm sure) is inexcusable.
I can somewhat understand that their previous JPEG implementation had problem(s) with unchecked input. In a perfect world, programmers would be better at validating input, but we all know the rush to get SW out the door. These bugs can (unfortunately) slip by.
However, after a highly public and exploitable flaw is found in their JPEG parsing, they should have made damn sure that the 'fixed' version is rock
Re:THIS HAS NOT BEEN FIXED, url inside (Score:2, Insightful)
Fatal mistake, and one they make VERY often. Remember all of the RPC viruses we had one after the other? Same vulnerability, different exploits, one bandaid after another.
I despise it when doctors treat symptoms rather than the underlying problem. This is standard operating procedure for Microsoft.
Re:THIS HAS NOT BEEN FIXED, url inside (Score:1, Funny)
No errors or crashes.
How does this prove THIS HAS NOT BEEN FIXED? (Score:1)
It crashes PSP7 also! (Score:2)
Re:THIS HAS NOT BEEN FIXED, url inside (Score:4, Interesting)
will crash IE on an updated xp sp2 system.
It also crashes a Win2K system, which is NOT AFFECTED according to the original MS announcement.
Re:THIS HAS NOT BEEN FIXED, url inside (Score:2)
will crash IE on an updated xp sp2 system.
I'm pretty sure this is a different flaw. Whether its exploitable or not, I don't know, but I've just run the proof of concept code being discussed in this article on my system and it does not cause a crash. Your image does. This is an unpatched Win2K system, so it isn't a case of MS doing a workaround that doesn't catch some cases of the problem. You may want to forward that image to MS's IE team, and let them analyse what's wr
win2k (Score:1)
It seems like every new "update" from MS creates a whole host of new security prolems to worry about.
And i couldn't seem to find a full copy of the proof of concept, just some edited versions :o(
Re:win2k (Score:3, Informative)
// Lameness filter doesn't like C code....
//aksdnckdnaslcjknasdcjknasdlcnjklasdnc j klasdnckldnscjkldnaslcjkansdjklcnasljkcnaalksdjncl ajksdnclka
//asdjkcnhladksjcnklasdjcnklasdjnclajk sdncklasndlckjansdcjknalsdkclaksdjcnlajkdnclaknldj klaegfjkaehg
//12345kjbfjwerv7890werw14hbfwjf
Re:THIS HAS NOT BEEN FIXED, url inside (Score:2)
I tried viewing it with QuickPictureViewer (an old DOS viewer) and in its B/W preview, it shows the file as corrupted all to hell, and won't do the full display at all.
Re:THIS HAS NOT BEEN FIXED, url inside (Score:2)
Start of Scan (SOS) block (Score:2, Interesting)
Re:THIS HAS NOT BEEN FIXED, url inside (Score:1)
Keyboard error... press F1 to resume
Re:THIS HAS NOT BEEN FIXED, url inside (Score:1)