View Single Post
  #35 (permalink)  
Old February 14th, 2006
Hyper-kun Hyper-kun is offline
Join Date: November 22nd, 2005
Posts: 196
Hyper-kun is a great assister to others; your light through the dark tunnel

It should be obvious that I'm neither a lamer nor a Microsoft PR agent. I also doubt that Microsoft needs your advice and that you know any kind of etiquette. You should probably improve your reading skills. I never claimed that there was no bug in code by Microsoft handling JPEG images. By the way, I know damn well what I am talking about.

I'll explain it a little simpler for you:

I wrote: "Hell you can even get virus from pictures."

You claimed: "No you can't."

That's what I referred to when I said "you are wrong". I repeat: You can infect your system through any kind of file including pictures. All it takes is an exploitable flaw in applications handling these files. Actually it doesn't require files at all. It is possible to infect a system by any kind of input as long as there is an exploitable bug in the implementation handling this input.

You wrote: "You are reffering to a Microsoft Windows flaw in the JPEG engine that is used to render JPEG images."

You are wrong again. There are far more bugs than this one. I was not thinking of any certain bug. And just to repeat myself, this problem is not unique to Windows. Windows and software for it is just the easier bait due to its popularity. Nonetheless there are inherent design flaws in Windows which make these issues a little worse than they are on other systems.

If you want me to provide an (incomplete) list of software that is exploitable I could do that. It's probably not wort the time. You can just read Bugtraq yourself:

For example, the famous WMF exploit works fine for a lot of standard picture filename extensions including "jpg" and "jpeg". You just have to rename the WMF file. This might be misleading though because you probably argue that this isn't a JPEG file. WMF is still a picture format nonetheless.

Last but not least, for most users you don't have to be that smart at all since they will fall for "whatever.jpg.exe" because - nobody knows why - Windows hides known filename extensions by default. For the common user this makes it impossible to differ between a mere data file and an executable file.

In any case it's not as simple as "executables are dangerous but data files are harmless".
Reply With Quote