SoylentNews is people
SoylentNews
from the a-pictures-worth-a-thousand-lines-of-malware dept.
El Reg reports
Penetration tester Marcus Murray says attackers can use malicious JPEGs to pop modern Windows servers, to gain expanded privileges over networks.
In a live hack set down for RSA San Francisco this week, the TrueSec boffin shows how he used the hack to access an unnamed US Government agency that ran a buggy photo upload portal.
A key part of the stunt is achieved by inserting active content into the attributes of a jpg image, such that the file name read image.jpg.aspx. "I'm going to try to compromise the web server, then go for back end resources, and ultimately compromise a domain controller," Murray said, adding the hack is not that difficult.
video
This is by no means a new attack vector.
Why are we still dealing with this over ten years later?
(Score: 4, Informative) by Anonymous Coward on Tuesday April 21 2015, @07:09PM
Nothing is wrong with .PNG--as long as you don't mind larger file sizes.
PNG is ideal for line drawings.[1]
PNG is good for images with few colors.
When you get into photos or images with lots of colors, PNG loses its luster.
A suggested replacement for JPG is WebP.
It became as good as JPG after improvements were made to it. [wikipedia.org]
Its owner (Google) has licensed it as gratis and libre aka an open protocol.
Good luck getting a Google competitor to support it.
Another replacement for JPG is BPG.
It is also claimed to be an "open" protocol.
It may be covered by patents that don't expire until 2033. [wikipedia.org]
(A curse on patent clerks who have approved patents on mathematics.)
[1] Please, people, stop using JPG for these.
-- gewg_