Stories
Slash Boxes
Comments

SoylentNews is people

posted by CoolHand on Tuesday April 21 2015, @02:03PM   Printer-friendly
from the a-pictures-worth-a-thousand-lines-of-malware dept.

El Reg reports

Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks.

In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal.

A key part of the stunt is achieved by inserting active content into the attributes of a jpg image, such that the file name read image.jpg.aspx. "I'm going to try to compromise the web server, then go for back end resources, and ultimately compromise a domain controller," Murray said, adding the hack is not that difficult.
video

This is by no means a new attack vector.

Why are we still dealing with this over ten years later?

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by RobotMonster on Tuesday April 21 2015, @03:31PM

    by RobotMonster (130) on Tuesday April 21 2015, @03:31PM (#173551) Journal

    Why would you need servers for your windows?
    To show jpegs on your windows?
    Is this part of some home automation thing?
    Windows are a thing, right? Is it too soon?
    (I'll get my coat)

    Seriously though, the TFA references a JPEG attack from 2004 (as does all I could find with a quick search), but I'm pretty sure there was a JPEG of Death floating around in the Windows NT days, say ~1998; it took your otherwise pretty solid (for Microsoft at the time) machine to a BSOD instantly. Good times.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1, Funny) by Anonymous Coward on Tuesday April 21 2015, @05:52PM

    by Anonymous Coward on Tuesday April 21 2015, @05:52PM (#173596)

    but I'm pretty sure there was a JPEG of Death floating around in the Windows NT days, say ~1998

    Hmm, you must be referring to the Windows logo.