 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Wow, it seems that security updates for various pieces of 'standard'
Windows-related software are coming down fast and furious these days: Firefox,
Java, Flash Player, Windows itself (well, my old XP version.) I'm getting one or
the other of these on almost a daily basis. Cyber-criminals and spammers must be
working overtime!
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Wow, it seems that security updates for various pieces of 'standard'
> Windows-related software are coming down fast and furious these days: Firefox,
> Java, Flash Player, Windows itself (well, my old XP version.) I'm getting one or
> the other of these on almost a daily basis. Cyber-criminals and spammers must be
> working overtime!
>
This happens when someone develops a new(ish) idea on how to break into
a system. After that, every one starts to see if they can use the same
apporach to break into another program.
Ex: One guy finds out that you can create specially crafted .BMP files
with a color palette that has 4294967297 (MAX_INT + 1) colors, causing
the application to overflow, and execute arbitrary code. 12 other guys
will go "hmm... interesting... Let's try with .JPG, .GIF, .PNG, etc...).
People will also try to find applications where this can be exploited,
and once they find that a certain version of, say libpng is vulnerable,
every piece of software that uses that libpng will have to be updated.
(Except POV-Ray, of course, because we were told that nothing bad could
happen... And no one POV-Ray user would be evil enough to post a scene
with a bad .PNG texture in it).
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Francois Labreque <fla### [at] videotron ca> wrote:
> Ex: One guy finds out that you can create specially crafted .BMP files
> with a color palette that has 4294967297 (MAX_INT + 1) colors
Given that the vast majority of image files have an exact amount of
bytes reserved for the different sizes, I would like to see how you
can put a value larger than what those bytes can express there.
(Ostensibly some compressed image file type might be able to exploit
a buggy image library if there's something in the compression algorithm
that said library doesn't take into account and could cause eg. a buffer
overflow in said library when it tries to decompress the data.)
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 16/01/2013 06:30 PM, Warp wrote:
> Francois Labreque<fla### [at] videotronca> wrote:
>> Ex: One guy finds out that you can create specially crafted .BMP files
>> with a color palette that has 4294967297 (MAX_INT + 1) colors
>
> Given that the vast majority of image files have an exact amount of
> bytes reserved for the different sizes, I would like to see how you
> can put a value larger than what those bytes can express there.
There appears to be plenty of software that incorrectly treats various
size values as signed integers. (E.g., programs that malfunction on
files larger than 2GB because they think the file size has become
"negative".)
Personally, I blame C...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On 16/01/2013 11:59 AM, Kenneth wrote:
> Wow, it seems that security updates for various pieces of 'standard'
> Windows-related software are coming down fast and furious these days: Firefox,
> Java, Flash Player, Windows itself (well, my old XP version.) I'm getting one or
> the other of these on almost a daily basis. Cyber-criminals and spammers must be
> working overtime!
Just because a security flaw has been discovered, does not necessarily
imply that anybody has actually *exploited* it yet.
It could well just be the QA people doing code reviews and finding bugs
that way.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Wed, 16 Jan 2013 21:23:27 +0000, Orchid Win7 v1 wrote:
> Personally, I blame C...
Seems more appropriate to blame programmer inexperience (or laziness)
than the language used.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid Win7 v1 <voi### [at] devnull> wrote:
> There appears to be plenty of software that incorrectly treats various
> size values as signed integers. (E.g., programs that malfunction on
> files larger than 2GB because they think the file size has become
> "negative".)
Can you give me a scenario where that produces a buffer overflow?
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid Win7 v1 <voi### [at] devnull> wrote:
>
> It could well just be the QA people doing code reviews and finding bugs
> that way.
Yeah, I'm thinking it's probably half and half: real security breaches; and
entities like Kaspersky Labs finding possible exploitable loopholes before the
fact.
BTW, I just got *another* Windows security update.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Francois Labreque <fla### [at] videotronca> wrote:
>> Ex: One guy finds out that you can create specially crafted .BMP files
>> with a color palette that has 4294967297 (MAX_INT + 1) colors
>
> Given that the vast majority of image files have an exact amount of
> bytes reserved for the different sizes, I would like to see how you
> can put a value larger than what those bytes can express there.
>
Sorry, it was MAX_SIGNED_INT +1.
Of course, the file formats are usually strict enough, but they can't
prevent all problems.
http://technet.microsoft.com/en-us/security/bulletin/ms04-028
http://technet.microsoft.com/en-us/security/bulletin/ms08-052
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0597
In the case of the BMP flaw, the leaked Windows 2000 source code showed
that the DLL was using a signed int to read an offset value that was
unsigned in the file format, so by crafting a special BMP file you would
have the DLL jump to a negative offset, and outside of the actual data
structure it was supposed to read. Now since GDI.DLL runs in ring 0 for
performance reasons, the fault was not caught and the program would
continue reading garbage, which in turn would cause a buffer overflow
and arbitrary code execution. Photoshop CS2 and CS3 were vulnerable to
this one, on top of all the MS applications that use GDI.DLL, so it
wasn't only shoddy programming on Microsoft's part.
I don't have the specifics on the JPG or PNG ones, but from the MITRE
descritpion, the JPG also used an improper cast in the DLL to achieve
its result. For the PNG vulnerability, it was a problem with libpng not
handling a variable field length properly.
I'm sure you know that there are many, many ways a programmer can screw up.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Orchid Win7 v1 <voi### [at] devnull> wrote:
>> There appears to be plenty of software that incorrectly treats various
>> size values as signed integers. (E.g., programs that malfunction on
>> files larger than 2GB because they think the file size has become
>> "negative".)
>
> Can you give me a scenario where that produces a buffer overflow?
>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0894
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1573
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3015
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5870
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1570
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2518
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0596
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0599
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0602
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0915
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3966
More at:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=BMP
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=JPG
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=PNG
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=MP3
Etc...
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
