You are viewing extempore

Sep. 23rd, 2004 @ 05:42 pm zero day worm
The end is near: JPEG exploit proof of concept

It will be a bug like this that will take the whole world down. For the
less computery types: a bug in all versions of windows prior to XPSP2
makes it possible for the bad guys to take over a windows machine if you
just view a specially crafted graphics file. A public exploit to do just
this has already been published.

That means anyone who uses the web, anyone who reads graphics-enabled
email, really anyone who uses the network at all is vulnerable to total
compromise.

Security people have long feared the appearance of a "zero day" worm, a
worm that propagates at maximum speed and exploits a widely unpatched
vulnerability. The large majority of the internet, including millions of
machines that cannot be reached directly, could be under the control of
one or a few people in hours or even MINUTES. Imagine the first thing the
worm does after taking over a machine is insert itself in all the HTML
documents it can find and email itself to every address it can find.

There are many many companies that are reasonably well firewalled from
direct attack from the outside, but where people use windows machines
internally to use the Internet. Bam, they're dead. And once one machine
is infected it can attack all the others from the inside of the network,
which is much easier.

You can't even conceive of how bad it could get. Once it's loose it will
be impossible to reign in. Thousands of companies, government agencies,
even military branches could be completely paralyzed, all their internal
data compromised. Very few institutions would be safe.

I think this is one of the greatest dangers facing the civilized world
today. No joke. But people won't believe it until it happens. Imagine
all the fears about Y2K amplified dramatically, but this is much more real
than Y2K. Y2K was a very speculative concern because nobody really knew
how vulnerable we were. But there's no question about how widespread
unpatched windows systems are.

Be afraid!
About this Entry
[User Picture Icon]
From:kutuz_off
Date:September 24th, 2004 01:10 am (UTC)

Correction

(Permanent Link)
It only affect people that use Microsoft OS and browse using Microsoft browser or Microsoft e-mail reader.
[User Picture Icon]
From:extempore
Date:September 24th, 2004 01:25 am (UTC)

Re: Correction

(Permanent Link)
Right! I'm sure you'll be totally unaffected when the power is out all over the world, most distribution of food and essential supplies is halted, transportation of all kinds is unusable, massive rioting and looting overwhelsm urban centers, and on and on and on.

Where do you live? Must be peaceful.
From:pfelon
Date:September 24th, 2004 02:06 am (UTC)

Aaaaaaaaaaaa!

(Permanent Link)
It was only a matter of time until something like this came along. Oh well, it was fun while it lasted.
[User Picture Icon]
From:etrepum
Date:September 24th, 2004 02:55 am (UTC)
(Permanent Link)
Even without this jpeg exploit, it takes something like 20 minutes or less for an unpatched windows box on broadband not behind a firewall/nat to get infected by a worm.

Personally I tend to use non-x86 or at least non-Windows boxes.. but some of my clients have a hardon for .NET and/or SQL Server.

I'm pretty sure I heard that this flaw is also present in GTK or the like for Linux x86 and could be exploited similarly..

Doesn't Windows XP SP2 use stack canaries (or something similar) like recent versions of OpenBSD that make it terribly difficult to actually use a buffer overflow like this for any more than denial of service? I vaguely remember Theo talking about it being a braindead implementation (using canary values per boot instead or per process, I think), but I think that would be sufficient. Granted that Windows XP isn't the majority (especially SP2), but in a few years it will presumably have much more of the market.
[User Picture Icon]
From:etrepum
Date:September 24th, 2004 03:04 am (UTC)
(Permanent Link)
Also note that in order to patch Windows, you more or less need to have it on the net. Unless you have a firewall or NAT inbetween your Windows box and the net, odds are that you won't even be able to patch up before you get hacked.
[User Picture Icon]
From:goatcow
Date:September 24th, 2004 03:44 am (UTC)
(Permanent Link)
The flaw you are thinking of is in the gdk-pixbuf. DSA here: http://www.debian.org/security/2004/dsa-546
[User Picture Icon]
From:extempore
Date:September 24th, 2004 04:02 am (UTC)
(Permanent Link)
Doesn't Windows XP SP2 use stack canaries (or something similar) like recent versions of OpenBSD that make it terribly difficult to actually use a buffer overflow like this for any more than denial of service?

Last I looked we were slowly heading toward a world where CPUs had NX bit support and OSes used it; I don't know about XP. But recent developments and future hopes are only going to be important when and if we get there. It's still going to be years and years before the majority of the net is not vulnerable to existing bugs.
[User Picture Icon]
From:etrepum
Date:September 24th, 2004 04:20 am (UTC)
(Permanent Link)
OpenBSD has supported W^X for i386 since 3.4. IIRC, i386 can only do this at very coarse boundaries, so they map writable and executable memory very far away from each other. The newer processors, and most of the 64bit CPUs from other vendors are much better at it and have been supported longer.

I looked into it, and stack canaries are done in Windows on a per-program basis at compile time. You need to compile with /GS from Visual Studio .NET. Presumably Microsoft compiled Windows XP with this flag for the first time in SP2.
From:naturalborn
Date:September 24th, 2004 04:36 am (UTC)
(Permanent Link)
I hope that the world realizes the importance of computer security before some virus writer makes something which wipes out hard drives of a good chunk of the net.

We've been lucky so far...

What I hope is one thing, what I expect is something else...
[User Picture Icon]
From:extempore
Date:September 24th, 2004 04:42 am (UTC)
(Permanent Link)
I hope that the world realizes the importance of computer security before some virus writer makes something which wipes out hard drives of a good chunk of the net.

That would be the most minor consequence imaginable of a zero day worm. Seriously, big deal. Important data is backed up. That'd be at worst an inconvenience.

I'm talking about end-of-the-world stuff here. The total breakdown of civilization. A sight worse than losing last year's email and tax records.
From:naturalborn
Date:September 24th, 2004 05:02 am (UTC)
(Permanent Link)
I'm not sure what damage you envision beyond computers destroying their hard drives and getting turned off. That would certainly cause all infected critical systems to become non-functional. Anything more damaging would have to be tailored to each specific target, and I don't see doing that happening too anything more than a handful of systems as a real threat.

I think you overestimate the amount of damage which could be caused, however I do think that the potential amount of damage is quite extraordinary.

What I find even scarier is the current state of security in the financial industry. I purposefully avoid knowing more about it than absolutely necessary, because I don't like having the feeling that my life savings might be wiped out at any moment due to identity theft or clerical error.
[User Picture Icon]
From:marshalllaw
Date:September 24th, 2004 05:29 am (UTC)
(Permanent Link)
Excuse my nieveness here, but how is this worm being spread? Am I just going to log onto IE one day and have my whole computer destroyed, is it a mass-mailing worm, etc.?
[User Picture Icon]
From:extempore
Date:September 24th, 2004 06:36 am (UTC)
(Permanent Link)
Am I just going to log onto IE one day and have my whole computer destroyed

"This" worm is hypothetical. I don't think this particular bug is going to lead to the end of civilization. It only helps reveal the potential.

And yes, your starting IE and that being the last desirable thing your computer does is well within the realm of possibility. But again, it being DESTROYED would be a relatively innocuous outcome. You should worry much more about it doing intensive analysis of your personal data and then making a determined effort to steal your money and generally ruin your life. Or it sitting there quiet and undetected while it logs every keystroke for months and sends them back to command center, until eventually the time bomb goes off and your computer launches a coordinated denial-of-service attack against certain major targets along with tens of millions of other infected machines.

is it a mass-mailing worm, etc.?

That too. The means of propagation is not relevantt; a sophisticated worm would use every possible route of infection and exploit every vulnerability that had yet been discovered.
[User Picture Icon]
From:chris03165
Date:September 24th, 2004 08:15 am (UTC)

PIA

(Permanent Link)
Yea, i work in IT for a HUGE tv retail company and it is crazy how often we are patching. Thank god we automate it but we have 10,000 client machines and hundreds of servers all over the world. Ill tell you what though, it sure is one pain in the ass to cover all those machines EVERY month cause some jerkoff came up with a new exploit.

Ill give them one thing, they are some crafty sons a bitches.
From:ltnordberg
Date:September 24th, 2004 11:53 am (UTC)

Its a ticking time-bomb

(Permanent Link)
I agree...

I start thinking every once in awhile about potential reasons why stock markets crash, depressions happen, about the world's next major event, etc. When you think about the effects that a virus or worm like this could have... the markets would crash, financial confidence would sink, it snowballs and leads to overall panic. Not to mention things actually associated with computers failing that you mentioned.

The issue will be whether worms and viruses will be incremental in damage or whether one day the conditions will be right for a "perfect" virus. If incremental, the world responds, heightens security and maybe fends off disaster. I think about 9/11 that same way... there were warning signs, but nothing major enough to put us on guard to help prevent the disaster.

If one day a virus can go from a minor pain (like they are now, globally I would have to say they are minor) to a major disaster, watch out...all aspects of life could (and would) be effected.
From:jackyl_ky
Date:September 24th, 2004 01:26 pm (UTC)

Overstated risk

(Permanent Link)
I'm sorry, but I had to create a livejournal entry just to respond to this.

Raising awareness of security problems for endusers is good, but the risk of this one is way overblown. There was already one worm using the exploit, but it was idiotic because it relied on a hosted malicious image. Those worms are idiotic for one of two reasons: a) they never spread, so their distribution mechanism sucked or, b) they spread properly and end up getting their site shut down due to DDoS or ToS issues.

The appropriate vector for this worm is an embedded Outlook image, and we can expect to see that before too long. Firewalls are irrelevant in this case, because all perimeter controls are set up to allow mail through some known route.

I have a few more comments:
Security people have long feared the appearance of a "zero day" worm, a
worm that propagates at maximum speed and exploits a widely unpatched
vulnerability.


Been there, done that. Witty is the best example.

There's more examples, though. Take Slammer. It affected SQL Servers, a lot of which were patched. Worse, though, it alse affected MSDE (a desktop version of SQL Server). MSDE is included as an add-on to a lot of software packages used in the corporate world (Visio, for example). In a lot of cases, people didn't even know they were running MSDE and vulnerable until Slammer infected 90 percent of infectable machines on the internet in 10 minutes.

As a side note, this hit something like 36 hours before the Super Bowl. That sucked.

I think this is one of the greatest dangers facing the civilized world
today. No joke. But people won't believe it until it happens.


Yes, things like this are a threat, but I think you are overstating the risk. Critical infrastructure is pretty resilient and incident response procedures are pretty solid at most major organizations.


I don't like incident response, but it is a fact of life for now. There are some technologies / trends that are pointing to a better, and more secure, network over the next couple years, but we'll see several more major incidents and, beyond some major headlines and minor service interruptions, everything will go on fine.
From:jackyl_ky
Date:September 24th, 2004 01:30 pm (UTC)

Re: Overstated risk

(Permanent Link)
I forgot to give my forecast for this vulnerability:

Email worm using an embedded picture, spoofed sender. Anyone running AV will remain mostly untouched in the first iteration. Subsequent iterations will probably have the .jpg embedded in a .zip file which may cause some issues for awhile, but nowhere near the Netsky / MyDoom situation.
[User Picture Icon]
From:badblood44
Date:September 24th, 2004 02:36 pm (UTC)
(Permanent Link)
Paul, wouldn't you say that many critical infrastructure systems are running on embedded systems rather than win32-based ones?

From my perspective (I've worked on control systems and software for both military aircraft engines and power generating gas turbines), most damage won't be done by taking control of systems, but rather removing some ability to monitor them.

The blackout last year wasn't caused by a worm but rather a fault in custom monitoring software that is not Windows based:

http://www.interesting-people.org/archives/interesting-people/200404/msg00136.html

I certainly believe that much chaos can be caused by such a zero-day worm. But as far as the total collapse of society goes, I'm a bit less inclined to be that pessimistic.

I'm familiar with your work on boa and your open source contributions, so I certainly don't discount your thoughts as inane or overblown. Time will tell which scenario is more accurate. If you're proven correct, you may not have the ability to post a "told you so." :)
From:dukyboys
Date:September 24th, 2004 02:45 pm (UTC)
(Permanent Link)
Funny you should mention this topic. A few days ago I was watching "The Recruit" (Al Pacino, Collin Farell) I do believe they discuss a similar subject.
From:altus
Date:September 24th, 2004 05:31 pm (UTC)

Suggestions?

(Permanent Link)
Paul-

So what can we do to protect ourselves, personally, against this? Or is this one of those things like, an earthquake or volcano eruption where we know it's going to happen and there's nothing we can do about it?
[User Picture Icon]
From:neverdieagain
Date:September 24th, 2004 06:43 pm (UTC)

Re: Suggestions?

(Permanent Link)
I think that's the kicker. You can try your hardest to save your machine, but if this did happen and your machine was spared. How much good would that really do you? Sure it'd be a nice personal achievment, but your one computer, even intact would be almost useless with everything else in chaos.
From:jackyl_ky
Date:September 24th, 2004 07:22 pm (UTC)

Re: Suggestions?

(Permanent Link)
Just make a habit of hitting Windows Update (you can also get to it from your Start menu.

Antivirus programs aren't a bad idea, as long as you have them set up auto-update (or do it yourself on a regular basis), but you can get away without using one if you're careful about your web browsing.
From:themizthemaster
Date:September 25th, 2004 06:15 pm (UTC)

Re: Suggestions?

(Permanent Link)
Yeah Paul - why don't you tell us how to protect ourselves instead of saying 'be afraid'. What kind of dumb comment is that? What are you, some government employee trying to scare the public without telling them how to help the problem?
People - Dont be afraid. It doesn't do you any good. I've lost all respect for this dot.com phoney.
From:mdk081
Date:September 28th, 2004 03:44 am (UTC)
(Permanent Link)
http://www.easynews.com/virus.txt

Interesting read about one of these which appeared on Usenet recently.
[User Picture Icon]
From:joepro
Date:September 28th, 2004 07:48 pm (UTC)

Evil microsoft

(Permanent Link)
I did some research on this, and found out that my old win 98 (u can laugh at me) machine at work is "not vulnerable" to this new virus. Then I read that all future updates for windows will support xp only. This is similar to the credit card companies responding to record increases in identity theft by simply trying to sell people "identity theft insurance." One person's loss is another's gain. Here's a blurb from the article, as usual microsoft exploits its power by any means necessary:

In a separate but related development, Microsoft announced that future security enhancements for its Internet Explorer will be available through its Windows XP update service only. By refusing to offer separate security enhancements for Internet Explorer, which is the main vector for any JPEG-related worm or virus, Microsoft is essentially saying that anyone who hasn't yet upgraded to Windows XP won't be protected from future exploits. The average cost to upgrade to Windows XP is about $99; you do the math. FULL ARTICLE LINK:

http://reviews.cnet.com/4520-3513_7-5515107-1.html?tag=cnetfd.ld