El Reg reports
Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks.
In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal.
A key part of the stunt is achieved by inserting active content into the attributes of a jpg image, such that the file name read image.jpg.aspx. "I'm going to try to compromise the web server, then go for back end resources, and ultimately compromise a domain controller," Murray said, adding the hack is not that difficult.
video
This is by no means a new attack vector.
Why are we still dealing with this over ten years later?
(Score: 2) by RobotMonster on Tuesday April 21 2015, @03:31PM
Why would you need servers for your windows?
To show jpegs on your windows?
Is this part of some home automation thing?
Windows are a thing, right? Is it too soon?
(I'll get my coat)
Seriously though, the TFA references a JPEG attack from 2004 (as does all I could find with a quick search), but I'm pretty sure there was a JPEG of Death floating around in the Windows NT days, say ~1998; it took your otherwise pretty solid (for Microsoft at the time) machine to a BSOD instantly. Good times.
(Score: 1, Funny) by Anonymous Coward on Tuesday April 21 2015, @05:52PM
but I'm pretty sure there was a JPEG of Death floating around in the Windows NT days, say ~1998
Hmm, you must be referring to the Windows logo.