09-16-2004, 09:36
|
||||
|
||||
JPEG圖檔漏洞危及Windows PC
CNET新聞專區:Robert Lemos 15/09/2004
微軟公司14日公佈其軟體處理JPEG圖檔過程中某一重大瑕疵的修補程式,並呼籲顧客使用新工具找出有此漏洞的許多應用軟體。 這項嚴重瑕疵一定和微軟的作業系統及其他軟體如何處理廣泛使用的JPEG檔有關,並且能讓攻擊者創造一個點閱後即可在受害電腦執行惡意程式的影像檔。由於微軟的IE瀏覽器有許多漏洞,Windows使用者可能只是造訪帶有這類影像的網站就受到攻擊。 有鑑於該瑕疵的嚴重程度,某些安全專家擔心,利用這個問題的病毒很快就會出現。軟體安全公司McAfee的病毒研究經理Craig Schmugar說:「攻擊的可能性非常高。但我們尚未發現任何概念驗證程式。」這類程式會展示如何利用特定的瑕疵,且通常在軟體商公佈修補程式後迅速出現。 受影響的至少有十幾種微軟的應用軟體和作業系統的不同版本,包括Window XP、Windows Server 2003、Office XP、Office 2003、IE 6、Service Pack 1、Project、Visio、Picture It和Digital Image Pro。完整名單公佈在微軟網站的公告中。目前正陸續下載到許多顧客電腦中的Service Pack 2,並未含有該瑕疵。 微軟的事故反應中心安全程式經理Stephen Toulouse表示:「難處在於(有瑕疵的功能)存在許多不同產品中。」由於太多應用軟體都有這項瑕疵,微軟必須創造個別的工具幫助顧客更新電腦。Windows Update的使用者將被導向微軟的Office Update工具,然後是尋找並更新造像與顯影應用程式的工具。這些工具是微軟未來產品的預告,Toulouse說:「顧客最重要的心聲之一,就是簡化軟體更新過程。我們的目標是建立一個統一的更新機制。」 出於必要,Linux經銷商已經發展出這種統一的更新軟體,不僅能更新核心作業系統,也包括其他開放原始碼社群所創造的應用軟體。然而,Windows大多數應用軟體是由微軟之外的公司製造,使得這種統一的更新系統在政策上更難實現。 JPEG處理過程瑕疵讓影像中潛藏的程式在受害者的系統中執行,這項瑕疵和8月初發現的另一種影像漏洞無關。該項漏洞,存在圖書館用來支援可攜式網路圖形(PNG)格式的一種普通程式中,影響Linux、Windows和蘋果Mac OS X等系統的應用軟體。JPEG和PNG都是網站普遍使用的格式。 微軟已於今年4月推出一項通知計劃,任何與該公司簽署一份非公開協議的顧客,都在三天前收到這次JPEG瑕疵的警告。Toulouse表示:「有些顧客希望得到更多資訊。」通知計劃參與者所得到的資訊,僅限於若干瑕疵、受影響的應用軟體,和相關瑕疵的最高威脅等級。 JPEG影像處理過程漏洞,是微軟最新發現的產品瑕疵,也是該公司今年第28次公告的主要內容。微軟經常用一份公告涵蓋多個問題;例如今年4月的四份公告便包含20個以上安全漏洞。微軟14日公佈的第二個修補程式,是針對Office、Publisher、Word和Works當中WordPerfect檔案轉換器的瑕疵。該瑕疵屬第二高威脅的「重要」等級,僅次於「嚴重」。若使用者開啟一份惡意的WordPerfect文件,這項漏洞便可讓攻擊者控制受害者的電腦。微軟建議顧客使用Office Update下載修補程式。(陳智文) Microsoft 官網資料: http://www.microsoft.com/security/bu...jpeg_tool.mspx
__________________
|
|
09-17-2004, 14:27
|
||||
|
||||
|
引用:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA04-260A Microsoft Windows JPEG component buffer overflow Original release date: September 16, 2004 Last revised: -- Source: US-CERT Systems Affected This vulnerability affects the following Microsoft Windows operating systems by default: * Microsoft Windows XP and Microsoft Windows XP Service Pack 1 * Microsoft Windows XP 64-Bit Edition Service Pack 1 * Microsoft Windows XP 64-Bit Edition Version 2003 * Microsoft Windows Server 2003 * Microsoft Windows Server 2003 64-Bit Edition Other Microsoft Windows operating systems, including systems running Microsoft Windows XP Service Pack 2, are not affected by default. However, this vulnerability may affect all versions of the Microsoft Windows operating systems if an application or update installs a vulnerable version of the gdiplus.dll file onto the system. Please note that this vulnerability affects any software that uses the Microsoft Windows operating system or Microsoft's GDI+ library to render JPEG graphics. Please see Systems Affected section of the vulnerability note to determine if third-party software is affected. A list of affected Microsoft products is available in Appendix B, or for the complete list of affected and non-affected Microsoft products, please see Microsoft Security Bulletin MS04-028. Overview Microsoft's Graphic Device Interface Plus (GDI+) contains a vulnerability in the processing of JPEG images. This vulnerability may allow attackers to remotely execute arbitrary code on the affected system. Exploitation may occur as the result of viewing a malicious web site, reading an HTML-rendered email message, or opening a crafted JPEG image in any vulnerable application. The privileges gained by a remote attacker depend on the software component being attacked. I. Description Microsoft Security Bulletin MS04-028 describes a remotely exploitable buffer overflow vulnerability in Microsoft's Graphic Device Interface Plus (GDI+) JPEG processing component. Attackers can exploit this vulnerability by convincing a victim user to visit a malicious web site, read an HTML-rendered email message, or otherwise view a crafted JPEG image with a vulnerable application. No user intervention is required beyond viewing an attacker-supplied JPEG image. Any applications (Microsoft or third-party) that use the GDI+ library to render JPEG images may present additional attack vectors for this vulnerability. While some applications use the Windows operating system version of the GDI+ library, other applications may install and use another version, which may also be vulnerable. Microsoft has created a GDI+ Detection Tool to help detect products that may contain a vulnerable version of the JPEG parsing component. Microsoft Knowledge Base Article 873374 provides instructions on how to download and use this tool. In addition to running Microsoft's detection utility, we recommend searching your system for "gdiplus.dll" to help determine what third-party applications may be affected by this vulnerability. Also note that applications may re-install a vulnerable version of the GDI+ library if re-installed after a patch has been applied. We are tracking this vulnerability in Vulnerability Note VU#297462. This reference number corresponds to CVE candidate CAN-2004-0200. II. Impact Remote attackers exploiting the vulnerability described above may execute arbitrary code with the privileges of the user running the software components being attacked. III. Solution Apply patches from Microsoft Apply the appropriate patches as specified in Microsoft Security Bulletin MS04-028. Please note that this bulletin provides several updates to the operating system and various applications that rely on GDI+ to render JPEG images. Depending on your system's configuration, you may need to install multiple patches. In addition to releasing some patches on Windows Update, Microsoft has released some patches on Office Update, and developer tool patches are available from MS04-028. Apply patches from third-party vendors Third-party software that relies on GDI+ to render JPEG images may also need to be updated. Apply the appropriate patches specified by your vendor. Please see the your vendor's site and the Systems Affected section of the vulnerability note for more information. Depending on your system's configuration, you may need install multiple patches. Follow Microsoft recommendations for workarounds Microsoft provides several workarounds for this vulnerability. Note that these workarounds do not remove the vulnerability from the system, and they will limit functionality. Please consult the "Workarounds for JPEG Vulnerability - CAN-2004-0200" section of Microsoft Security Bulletin MS04-028. Appendix A. References * Microsoft Security Bulletin MS04-028 - * Microsoft End User Security Bulletin for MS04-028 - * US-CERT Vulnerability Note VU#297462 - * Microsoft KB Article 873374 - * CVE CAN-2004-0200 - Appendix B. Affected Microsoft Products The following Microsoft Products are affected: * Microsoft Office XP Service Pack 3 * Microsoft Office XP Service Pack 2 * Microsoft Office XP Software: + Outlook 2002 + Word 2002 + Excel 2002 + PowerPoint 2002 + FrontPage 2002 + Publisher 2002 * Microsoft Office 2003 * Microsoft Office 2003 Software: + Outlook 2003 + Word 2003 + Excel 2003 + PowerPoint 2003 + FrontPage 2003 + Publisher 2003 + InfoPath 2003 + OneNote 2003 * Microsoft Project 2002 Service Pack 1 (all versions) * Microsoft Project 2003 (all versions) * Microsoft Visio 2002 Service Pack 2 (all versions) * Microsoft Visio 2003 (all versions) * Microsoft Visual Studio .NET 2002 * Microsoft Visual Studio .NET 2002 Software: + Visual Basic .NET Standard 2002 + Visual C# .NET Standard 2002 + Visual C++ .NET Standard 2002 * Microsoft Visual Studio .NET 2003 * Microsoft Visual Studio .NET 2003 Software: + Visual Basic .NET Standard 2003 + Visual C# .NET Standard 2003 + Visual C++ .NET Standard 2003 + Visual J# .NET Standard 2003 * The Microsoft .NET Framework version 1.0 SDK Service Pack 2 * Microsoft Picture It! 2002 (all versions) * Microsoft Greetings 2002 * Microsoft Picture It! version 7.0 (all versions) * Microsoft Digital Image Pro version 7.0 * Microsoft Picture It! version 9 (all versions, including Picture It! Library) * Microsoft Digital Image Pro version 9 * Microsoft Digital Image Suite version 9 * Microsoft Producer for Microsoft Office PowerPoint (all versions) * Microsoft Platform SDK Redistributable: GDI+ * Internet Explorer 6 Service Pack 1 * The Microsoft .NET Framework version 1.0 Service Pack 2 * The Microsoft .NET Framework version 1.1 _________________________________________________________________ Feedback can be directed to the US-CERT Technical Staff. _________________________________________________________________ This document is available from: _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use: _________________________________________________________________ Revision History Sept 16, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBQUnrRhhoSezw4YfQAQJUHQf/RWwQLPaATa/RdE+j8PLEiJdLlh17XxaR b0/irS0+Sx83t7HAuWgQdZR4xu5qIkUuWYKCTEPNHNXfwSNJc6LE3/MfoEurFVzE SdChZa3/q3rc3631COon9B8yNVvUQqaQIe3BjwwJWlaj4F9Su9QrcO7N6JpVuJsW dc0FuiVy/fJB2Jji+31q3krekW2BHuTA0I7TUaahwy18RHnJDNPUgldQenf8+A6E Y8G98ofdruO/zR5jIceRKpd2lTWFamQmV5IgvH25LoXro1negtS72SkqWl4zqVyK 12bfvjkFWqRhociMssA4ehz52SqUT71lZCyxFkqtrNiJuDJrkgek3w== =CCT/ -----END PGP SIGNATURE-----
__________________
|
|
09-30-2004, 09:23
|
||||
|
||||
|
安全專家: JPEG病毒 差一步就擴散
CNET新聞專區:Robert Lemos 29/09/2004 安全專家週二表示,一種利用最近被發現的所謂JPEG圖像漏洞的特洛伊木馬程式被發佈到了幾個新聞論壇中,但它現在還不會自動傳播。 儘管該特洛伊木馬程式只對這些新聞群組的用戶造成威脅,但電腦安全專家警告,這樣的程式碼只要只差一小步就會成為實質有效的電腦病毒。 安全軟體商賽門鐵克(Symantec)意外回應部門資深經理Oliver Friedrichs表示,「這個漏洞已經快成為蠕蟲了。」 專家先前已經預期會有不肖份子利用該漏洞將病毒碼隱藏在JPEG圖檔中散佈到網路留言版中,這是因為微軟Windows作業系統中有個嚴重漏洞所致。而如何利用該漏洞的詳細手法也於之前被公開,Friedrichs表示,如何自動創造出含有毒碼JPEG圖檔的工具也越來越厲害。 線上新聞群組供應商Easynews週二發現了這篇最新的病毒文章,內容故意要求用戶下載有藏毒的圖檔,然後在Windows Explorer中觀看,如此就可感染用戶的電腦。這種作法讓可能上當感染的用戶相當有限,Friedrichs表示。 微軟公司認為該特洛伊木馬程式根本沒有什麼威脅。 該公司在聲明中表示,「由於用戶還得進行一連串動作後才會中毒,微軟公司認為它對客戶不會構成很大的威脅。我們將對它繼續進行調查,並向客戶提供必要的指導。」 Easynews公司表示,掃描軟體已經在新聞群組中發現了二個內置有惡意程式碼的JPEG圖像檔。 安全廠商F-Secure公司在 Weblog中表示,「被Easynews公司稱之為病毒的惡意程式碼沒有任何傳播機制。這些JPEG圖像不能自動複製,因此不能稱之為病毒。駭客試圖利用這些JPEG圖像向用戶的電腦下載特洛伊木馬程式,但下載網站現在應該早已被關閉了。」 防毒專家表示,賽門鐵克公司稱之為Trojan.Moo的程式碼很顯然是由數名駭客發佈的自動化軟體創造的。 被稱為JPEG of Death的這款工具正在被程式人員不斷更新,可能很快就能夠製造出利用漏洞的電腦病毒。安全軟體廠商McAfee公司的病毒研究經理Craig Schmugar表示,「我認為,由於該工具的程式碼已經被發佈到網路上,其他人會利用該工具創建新版本的病毒。」 JPEG漏洞會影響好幾個微軟軟體應用與作業系統,包括Windows XP、Windows Server 2003、Office XP、Office 2003、IE 6 SP1、Project、Visio、Picture It與Digital Image Pro。微軟已經公布所有會受影響的軟體。至於最新公布的Windows XP SP2則不會受到影響。(陳奭璁整理)
|
|
平鋪模式
