from the a-pictures-worth-a-thousand-lines-of-malware dept.
El Reg reports
Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks.
In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal.
A key part of the stunt is achieved by inserting active content into the attributes of a jpg image, such that the file name read image.jpg.aspx. "I'm going to try to compromise the web server, then go for back end resources, and ultimately compromise a domain controller," Murray said, adding the hack is not that difficult.
video
This is by no means a new attack vector.
Why are we still dealing with this over ten years later?
(Score: 5, Funny) by Anonymous Coward on Tuesday April 21 2015, @02:16PM
Which part of "Microsoft product" did you not understand?
(Score: 4, Funny) by Runaway1956 on Tuesday April 21 2015, @02:57PM
You should know the rules by now, AC. When you assign blame where it actually belongs, you get modded out of sight. Why don't you try again? Blame it on that gang of hoodlums over at BSD. Doesn't matter which gang, Free, Open, any of them will work. And, we'll blame all those Adobe exploits on Linus Torvalds. That should make things right, and get you and I modded up real high! Just don't make the mistake of blaming Apple for anything!
(Score: 1, Insightful) by Anonymous Coward on Tuesday April 21 2015, @04:20PM
At least Apple almost got it right by basing their OS on Unix.
(Score: 1) by Pseudonymous Coward on Tuesday April 21 2015, @10:42PM
And then managed to only support booting from GPT-formatted USB sticks. [apple.com]
(Score: 3, Funny) by Anonymous Coward on Tuesday April 21 2015, @04:26PM
"Micro". I always thought that meant "small", not "bloated".
(Score: 2) by VortexCortex on Tuesday April 21 2015, @06:40PM
It's only micro when it's soft, babe.
(Score: 3, Informative) by GlennC on Tuesday April 21 2015, @02:18PM
The reason we are still dealing with this problem is that the blame can be easily and quickly shifted to Somebody Else.
Between the outsourcing, offshoring, contracting and going "to the cloud", no one group has their feet held to the fire for very long.
Conversely, no one group is holding Microsoft's feet to the fire, so the Caucus Race goes on.
Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
(Score: 4, Insightful) by Thexalon on Tuesday April 21 2015, @02:33PM
Also, most of those affected by the problem are completely unaware that the problem even exists. My experience so far in dealing with organizations in relation to security is that there are basically 2 security stances that most spend most of their time in:
(A) Meh, we don't need to worry about it. Everything's fine.
(B) OMG, we were just hacked! PANIC! Throw lots of money at the problem until it goes away!
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 5, Insightful) by fadrian on Tuesday April 21 2015, @02:33PM
Security of these systems is nothing but smoke from the bottom to the top. For years, we have pushed the "first to market" button over every other consideration. I hope someone eventually figures out that, if you're building your world on software, maybe the base ought to be be a bit more secure and we should take a bit of time and effort to work on that?
Naaaahhh! Bright and shiny beats safe any day. Right, fellow primates?
That is all.
(Score: 1, Funny) by Anonymous Coward on Tuesday April 21 2015, @02:55PM
OMG... the Galaxy S6 has been out more than a week! My S5 is obsolete - it barely functions as a paperweight! Hey [ATT/Veririzon/T-Mobile] - Take my money!
(Score: 3, Funny) by rts008 on Tuesday April 21 2015, @03:45PM
Maybe my POV comes from doing construction work most of my life, but I try to keep always in mind that a good foundation is essential to building a good building that serves well for ages.
That could also explain why I've never been a MS fan once I learned the basics of computers(around 1996?), and their networks. :-)
Win 7 is the first MS OS that has not had me wanting to nuke Redmond within an hour of using it. I would have settled for a few strategically placed MOAB's for Win 7, but changed my mind with Win 8/Metro. Nukem 'til they glow!!! ;-)
Yes, bright and shiny wins overwhelmingly.
(Score: 4, Interesting) by gnuman on Tuesday April 21 2015, @05:02PM
Maybe my POV comes from doing construction work most of my life, but I try to keep always in mind that a good foundation is essential to building a good building that serves well for ages.
Right. And when you ask almost all residential construction workers (and "foundation experts"), they'll tell you that all foundations crack within a decade and that the basement floor cracks after a year too. And both are solved problems but are deliberately sabotaged by the construction companies and building codes so they save $1-5k in rebar. They also tell you that "all basements are damp" - another complete bullshit, but hey, it saves you a day of work to waterproof the construction (and move the dewpoint to the outside wall, not the inner wall. Anyway ....
(Score: 4, Interesting) by Runaway1956 on Wednesday April 22 2015, @12:09AM
Yes, and no. Buildings settle. Foundations shift. Crap happens. But, the problem isn't the rebar. The problem, if any, is created BEFORE the rebar is tied, the concrete is poured, or any later stage of construction. It's the GROUNDWORK!
Dig down to bedrock. If that is not possible, drill piers down to bedrock, ensuring that those piers are large and strong enough to support the entire structure. Any job I did for the state of Texas required that the ground be dug out at least three feet below the foundation, then backfilled. That backfill must be compacted to at least 95%. Travel the highways in Texas, and you'll notice roadbeds being dug out, filled, dug again and filled, and dug yet again and filled. The inspectors weren't satisfied with the compaction, so the construction company does it over and over until the inspectors are happy.
I don't mean to minimize the importance of the rebar, but the groundwork has to done right, or everything else is wasted.
You don't see many residential home builders doing that kind of groundwork ahead of construction. It's more common to see idiots dumping sand into the low spots to make the entire floor level with the high spots on the ground, and instead of a real foundation, pouring what I would call a "heavyup" around the edges. And, you're left with pourous soil under your home, which moves with the seasons.
(Score: 2) by VLM on Tuesday April 21 2015, @03:11PM
The problem with bugs like this is a simple software patch doesn't fit the culturally dominant security theater model.
How can we strip search people or walk them thru a scanner or racial profile them or trade lucrative contracts for election contributions if the problem is something in software? If the only good security is offensive and obnoxious security (which means anything offensive or obnoxious is also good security) then a simple patch isn't good security unless its delivered by a SWAT team or the discovering researcher is jailed or something.
We can fix "sneaking an ounce of liquid onto an airplane" or "racial profile suspected terrorists" but the biz model doesn't know how to handle "write software that isn't crap" or "try code review" or "issue a patch".
(Score: 0) by Anonymous Coward on Tuesday April 21 2015, @05:08PM
So we need a dude in a tac vest and a gun with a black usb drive :)
(Score: 2) by Grishnakh on Tuesday April 21 2015, @03:27PM
...for using Microsoft products. Their track record has been like this for decades.
(Score: 0, Insightful) by Anonymous Coward on Tuesday April 21 2015, @03:48PM
(Score: 5, Insightful) by Grishnakh on Tuesday April 21 2015, @05:10PM
No, it is an example of how great OSS is. Every single time some vulnerability like this is discovered in OSS, it's fixed quickly (sometimes within hours), and a patch is issued immediately. No, OSS isn't perfect, and has vulnerabilities too, but when they're found, they're immediately fixed. The same simply can't be said for proprietary software. There, the companies even want to restrict people from disclosing these vulnerabilities publicly, and if they could, they'd make it illegal to EVER disclose them, because they really don't care to fix them since that affects their bottom line. This simply doesn't exist in OSS, where the creators of the software actually take pride in their work and want to fix it when problems are found.
How else do you explain a vulnerability in Windows going for 10 years without a fix?
(Score: 2) by nukkel on Tuesday April 21 2015, @06:27PM
How else do you explain a vulnerability in Windows going for 10 years without a fix?
It got promoted to 'feature'?
(Score: 3, Interesting) by panachocala on Tuesday April 21 2015, @08:06PM
Because of cooporation with NSA which was using it to infect Iranian centrifuges, etc.
(Score: 2) by FatPhil on Tuesday April 21 2015, @08:43PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by RobotMonster on Tuesday April 21 2015, @03:31PM
Why would you need servers for your windows?
To show jpegs on your windows?
Is this part of some home automation thing?
Windows are a thing, right? Is it too soon?
(I'll get my coat)
Seriously though, the TFA references a JPEG attack from 2004 (as does all I could find with a quick search), but I'm pretty sure there was a JPEG of Death floating around in the Windows NT days, say ~1998; it took your otherwise pretty solid (for Microsoft at the time) machine to a BSOD instantly. Good times.
(Score: 1, Funny) by Anonymous Coward on Tuesday April 21 2015, @05:52PM
but I'm pretty sure there was a JPEG of Death floating around in the Windows NT days, say ~1998
Hmm, you must be referring to the Windows logo.
(Score: 4, Insightful) by Anonymous Coward on Tuesday April 21 2015, @03:32PM
Linux servers on their critical systems.
(Score: 0) by Anonymous Coward on Thursday April 23 2015, @12:32AM
LOL word.
(Score: 3, Insightful) by WillR on Tuesday April 21 2015, @03:34PM
(Score: 4, Interesting) by Nerdfest on Tuesday April 21 2015, @04:27PM
In a related question, why are people still going to theRSA security conference when RSA demonstrably is not an organization that believes in security. I could understand people attending if they gave a conference related to "Capitalism for short term profit" or something similar.
(Score: 2) by Subsentient on Tuesday April 21 2015, @06:07PM
What's wrong with PNG?
"It is no measure of health to be well adjusted to a profoundly sick society." -Jiddu Krishnamurti
(Score: 4, Informative) by Anonymous Coward on Tuesday April 21 2015, @07:09PM
Nothing is wrong with .PNG--as long as you don't mind larger file sizes.
PNG is ideal for line drawings.[1]
PNG is good for images with few colors.
When you get into photos or images with lots of colors, PNG loses its luster.
A suggested replacement for JPG is WebP.
It became as good as JPG after improvements were made to it. [wikipedia.org]
Its owner (Google) has licensed it as gratis and libre aka an open protocol.
Good luck getting a Google competitor to support it.
Another replacement for JPG is BPG.
It is also claimed to be an "open" protocol.
It may be covered by patents that don't expire until 2033. [wikipedia.org]
(A curse on patent clerks who have approved patents on mathematics.)
[1] Please, people, stop using JPG for these.
-- gewg_
(Score: 2, Insightful) by gishzida on Tuesday April 21 2015, @08:02PM
Let's see...
What kind of idiot takes a server that sits in a DMZ and attaches it to a domain controller? A MS Admin because they are not trained that "Internet facing" servers are a danger to their local network and should be isolated... and besides Management won't sit still for adding additional security costs. Better yet just outsource the whole thing, authentication and all...
What kind of security admin allows that? One that is so busy attending to other things (certification classes, hacker conventions, and soothing poor over worked management) that they never actually do any kind of security work. Oh wait it's too expensive to have a dedicated security admin... Outsource that position...
What kind of IT management or company management allows it? The one that can ignore the danger, work to keep costs down to increase the chance of a higher salary, and then blame and fire the lowly admins when the systems are over run by "black hats" [which might be everything from a script kiddy to their own government].
It was once said [circa 1995/6] that NT 3.51 workstation or server was secure so long as you didn't plug it into a network switch.... Windows [and management] has not changed all that much.
(Score: 0) by Anonymous Coward on Tuesday April 21 2015, @08:11PM
Near direct quote from To Sail Beyond the Sunset: The answer to any question beginning with, "Why..." is, "money."
It costs less to continue to allow intrusions to continue and pay scads of people to write detection/decontamination routines and software patches, than it does to re-engineer the entire operating system or software to disallow that class of flaw.
Also, because the economy of the United States is now inextricably tied to making systems dumb enough and multifunctional enough that average people can use them. ("But I've GOT to have my streaming / face timing / Facebooky Picturing / fad of the year!")
(Score: 1) by Pseudonymous Coward on Tuesday April 21 2015, @10:46PM
Let's hope Minix3 pans out...
(Score: 2) by darkfeline on Wednesday April 22 2015, @05:29PM
A better question is why is this relevant? No one worth their weight in non-recyclable trash would be running a (public facing) Windows server in this day and age.
Join the SDF Public Access UNIX System today!