Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

JPEG virus (speculation & hysteria, September 2004)

CATEGORY: Misconceptions about genuine threats

CATEGORIES:

  1. Misconceptions about a real computer security threat
  2. A historical perspective on recent hysteria
On 14 September 2004, Microsoft issued a "critical" alert regarding a "buffer overrun" in software it uses to display JPEG images. In theory, if you try to view a specially crafted JPEG file, it could take over your computer and do whatever it wishes. Microsoft has released a security patch to fix this buffer overrun. Vmyths urges you to download the patch, install it, and get on with your life.

Buf­fer over­runs are ex­tremely com­mon, yet they only rarely ever get ex­ploi­ted. Re­sear­cher Georgi Gunin­ski, for ex­ample, pub­lishes "proof of con­cept" ex­ploits for many of the "cri­ti­cal" buf­fer over­runs he finds. Gunin­ski's ex­ploits have never made a splash de­spite his best efforts.
Vmyths believes media outlets will pounce on this story, because (a) Microsoft announced a "critical" vulnerability in the way its software reads an ubiquitous file type, (b) computer emergency response teams have issued their own alerts, and (c) some proof-of-concept examples now exist. Watch for speculation and hysteria in the coming days. Some naïve system administrators may tell reporters they'll delete JPEG files from emails and refuse to let web browsers display JPEG files, "strictly as a precaution." (We don't expect anyone will implement this Draconian measure for very long. We believe too many users will clamor against it.)

Microsoft's "JPEG Processor" vulnerability manifests itself as a buffer overrun in a piece of software. It is not caused by the JPEG file format itself. Buffer overruns are extremely common: you'll find them in almost every large software application (even antivirus software). They can create situations where even a filename itself can wreak havoc. By definition, every buffer overrun will eventually join its brothers in the land of obscurity.

The "Code Red" worms successfully exploited a buffer overrun in 2001, and Vmyths believes some reporters will allude to this — as if to imply a horrific JPEG attack may be just around the corner. Some proof-of-concept examples have surfaced, but no actual threat currently exists. Buffer overruns are extremely common, yet they only rarely ever get exploited. Researcher Georgi Guninski, for example, publishes "proof of concept" exploits for many of the "critical" buffer overruns he finds. Guninski's exploits have never made a splash despite his best efforts.

A little history — this isn't the first time an image file format has come under fire. An April Fool's joke targeted JPEG files a decade ago, and in 2001, researchers claimed a specially crafted GIF file could be used to cause a buffer overrun in Microsoft Outlook. It was purely a coincidence that a GIF file could exploit this threat. In 2002, the "Perrun" virus added software to the computers it infected, then it modified the Windows registry so future viruses could "ride" inside a JPEG file. The virus writer could have chosen to do the same thing with GIF files or even TEXT files.

Antivirus vendor Sophos urged restraint over the Perrun virus in 2002, saying "some anti-virus vendors may be tempted to predict the end of the world as we know it, or warn of an impending era when all graphic files should be treated with suspicion. Such experts should be ashamed of themselves."

Vmyths suspects a hoax virus alert will arise with instructions to delete the JPEG registered file type in Windows. (It's practically a self-fulfilling prophesy.) Such a hoax will play on the user's misconception of the threat. Don't take unsolicited advice from people who are not experts. Users will self-damage their operating systems if they delete the JPEG registered file type.

Last updated: 2004/9/27