SoylentNews is people
SoylentNews
from the a-pictures-worth-a-thousand-lines-of-malware dept.
El Reg reports
Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks.
In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal.
A key part of the stunt is achieved by inserting active content into the attributes of a jpg image, such that the file name read image.jpg.aspx. "I'm going to try to compromise the web server, then go for back end resources, and ultimately compromise a domain controller," Murray said, adding the hack is not that difficult.
video
This is by no means a new attack vector.
Why are we still dealing with this over ten years later?
(Score: 0) by Anonymous Coward on Tuesday April 21 2015, @08:11PM
Near direct quote from To Sail Beyond the Sunset: The answer to any question beginning with, "Why..." is, "money."
It costs less to continue to allow intrusions to continue and pay scads of people to write detection/decontamination routines and software patches, than it does to re-engineer the entire operating system or software to disallow that class of flaw.
Also, because the economy of the United States is now inextricably tied to making systems dumb enough and multifunctional enough that average people can use them. ("But I've GOT to have my streaming / face timing / Facebooky Picturing / fad of the year!")
(Score: 1) by Pseudonymous Coward on Tuesday April 21 2015, @10:46PM
Let's hope Minix3 pans out...