Truth About Computer Security Hysteria
JPEG virus (speculation & hysteria, September 2004)CATEGORY: Misconceptions about genuine threats
Microsoft's "JPEG Processor" vulnerability manifests itself as a buffer overrun in a piece of software. It is not caused by the JPEG file format itself. Buffer overruns are extremely common: you'll find them in almost every large software application (even antivirus software). They can create situations where even a filename itself can wreak havoc. By definition, every buffer overrun will eventually join its brothers in the land of obscurity.
The "Code Red" worms successfully exploited a buffer overrun in 2001, and Vmyths believes some reporters will allude to this — as if to imply a horrific JPEG attack may be just around the corner. Some proof-of-concept examples have surfaced, but no actual threat currently exists. Buffer overruns are extremely common, yet they only rarely ever get exploited. Researcher Georgi Guninski, for example, publishes "proof of concept" exploits for many of the "critical" buffer overruns he finds. Guninski's exploits have never made a splash despite his best efforts.
A little history — this isn't the first time an image file format has come under fire. An April Fool's joke targeted JPEG files a decade ago, and in 2001, researchers claimed a specially crafted GIF file could be used to cause a buffer overrun in Microsoft Outlook. It was purely a coincidence that a GIF file could exploit this threat. In 2002, the "Perrun" virus added software to the computers it infected, then it modified the Windows registry so future viruses could "ride" inside a JPEG file. The virus writer could have chosen to do the same thing with GIF files or even TEXT files.
Antivirus vendor Sophos urged restraint over the Perrun virus in 2002, saying "some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves."
Vmyths suspects a hoax virus alert will arise with instructions to delete the JPEG registered file type in Windows. (It's practically a self-fulfilling prophesy.) Such a hoax will play on the user's misconception of the threat. Don't take unsolicited advice from people who are not experts. Users will self-damage their operating systems if they delete the JPEG registered file type.
Last updated: 2004/9/27