JPEG exploit could beat antivirus software

Antivirus software could be ill-prepared to protect corporate networks from the latest Windows vulnerability--innocent-looking JPEG files that contain security attacks.

According to Mikko Hypponen, director of antivirus research for F-Secure, antivirus software will strain to find JPEG malware, because by default, it only searches for .exe files.

"Normal antivirus software, by default, will not detect JPEGs," Hypponen said. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things."

There are about 11 file name extensions to which JPEGs can be changed, including .icon or .jpg2. Hypponen said this would make finding malicious JPEGs even more difficult; searching could take up a significant amount of valuable processor power.

Internet Explorer processes JPEGs before it caches them. That could also mean that desktops may become infected before antivirus software has a chance to work.

"This means that it is not enough to scan at the desktop," Hypponen said. "You have to scan at the gateway, but this will put a huge load on your bandwidth."

Hypponen said he expected a virus attack using the exploit to occur soon: "There has been so much interest in this vulnerability that someone is bound to do this. But saying that, there was a similar vulnerability found two months ago in bitmaps, and no one has exploited that yet."

Word of code that exploits the way Microsoft Windows processes JPEGs was posted in recent days to the Internet newsgroup EasyNews. Hypponen wrote on the F-Secure Web log that the exploit was not a virus because it had no way of spreading. In order for the code to infect a machine, a user must download the image it purports to be and view it in Windows Explorer.

On Tuesday, Microsoft hit back at critics over its handling of the vulnerability.

"Microsoft does not consider this a high risk to customers, given the amount of user action required to execute the attack, and is not currently aware of any significant customer impact," the company said in a statement. "We will continue to investigate the situation and provide customers with additional resources and guidance, as necessary."

Dan Ilett of ZDNet UK reported from London. CNET News.com's Rob Lemos contributed to this report.

M/S Malware Assistance

One aspect of this story that has not gotten any attention that Ive seen is that Microsoft sells a discounted version of the most popular portion of their MS-Office suite to Teachers and Students. There are two catches to the discounted price: 1) its not the full suite and 2) the ability to upgrade or update is removed. This would all be quite reasonable except for the fact that security fixes as described in this article cannot be applied either. In this sense, Microsoft is aiding the virus spreaders by selling current software to legions of students and teachers who are unable (by design) to patch the security holes.

[C.Schroeder]

Please check your facts?

I have the academic version of Office 2000, and I have been able to install its service packs and critical updates. The Office Update client works just fine with it. What you don't get is support (you have to pay up front to file a support issue) and there is no discount to upgrade to a new version (e.g. Office XP).

Curt

M/S Malware Assistance

One aspect of this story that has not gotten any attention that Ive seen is that Microsoft sells a discounted version of the most popular portion of their MS-Office suite to Teachers and Students. There are two catches to the discounted price: 1) its not the full suite and 2) the ability to upgrade or update is removed. This would all be quite reasonable except for the fact that security fixes as described in this article cannot be applied either. In this sense, Microsoft is aiding the virus spreaders by selling current software to legions of students and teachers who are unable (by design) to patch the security holes.

[C.Schroeder]

Please check your facts?

I have the academic version of Office 2000, and I have been able to install its service packs and critical updates. The Office Update client works just fine with it. What you don't get is support (you have to pay up front to file a support issue) and there is no discount to upgrade to a new version (e.g. Office XP).

Curt

[C.Schroeder]

Why does the file extenstion matter?

"Normal antivirus software by default will not detect JPEGs," Hypponen said. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things."

I don't get it. Recommended security policy for more than two years has been to scan ALL files, period, to foil attacks that depend on alternate extensions. Why is this not the default for all current antivirus software?! The modern PC has more than enough horsepower to spare for this. Not scanning all files probably shouldn't even be an option anymore.

Curt

[TimeBomb]

Because...

* Not everyone has a PC that was built 10 minutes ago. Are you rich? Sorry, not everyone is.

* Not all modern anti-virus software is configured by default to scan all extensions. It may even be true that most do not.

* More than enough horsepower? Scanning ALL files slows any system down VERY significantly. There is a great deal of overhead, disk, processor, and otherwise. It's not a non-issue as you suggest.

* Anyone concerned should dump the yellow box and switch to Kaspersky Anti-Virus.

[C.Schroeder]

Why does the file extenstion matter?

"Normal antivirus software by default will not detect JPEGs," Hypponen said. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things."

I don't get it. Recommended security policy for more than two years has been to scan ALL files, period, to foil attacks that depend on alternate extensions. Why is this not the default for all current antivirus software?! The modern PC has more than enough horsepower to spare for this. Not scanning all files probably shouldn't even be an option anymore.

Curt

[TimeBomb]

Because...

* Not everyone has a PC that was built 10 minutes ago. Are you rich? Sorry, not everyone is.

* Not all modern anti-virus software is configured by default to scan all extensions. It may even be true that most do not.

* More than enough horsepower? Scanning ALL files slows any system down VERY significantly. There is a great deal of overhead, disk, processor, and otherwise. It's not a non-issue as you suggest.

* Anyone concerned should dump the yellow box and switch to Kaspersky Anti-Virus.

[ajbright]

What?

What idiot wrote this article? If antivirus software only scanned files with a .exe file extension then they'd be of absolutely no use to anyone.

Jpeg files are not exactly alone in having more than one possible file extension. And when it comes to viruses, the file extension is irrelevant. In other words exes could be given any filename - including no extension at all - and still execute.

So to suggest that antivirus software will come unstuck just because you can rename a .jpg to a .ico is stupid to say the least.

It seems to me that these days there is a massive effort to over-sensationalize any story that has anything to do with PC security.

The worst part is that this is supposed to have come from a technical website. Clearly they are interviewing people with absolutely no background in computer security and using these peoples uneducated musings as the basis of their stories.

[ajbright]

What?

What idiot wrote this article? If antivirus software only scanned files with a .exe file extension then they'd be of absolutely no use to anyone.

Jpeg files are not exactly alone in having more than one possible file extension. And when it comes to viruses, the file extension is irrelevant. In other words exes could be given any filename - including no extension at all - and still execute.

So to suggest that antivirus software will come unstuck just because you can rename a .jpg to a .ico is stupid to say the least.

It seems to me that these days there is a massive effort to over-sensationalize any story that has anything to do with PC security.

The worst part is that this is supposed to have come from a technical website. Clearly they are interviewing people with absolutely no background in computer security and using these peoples uneducated musings as the basis of their stories.

A picture is worth a thousand worms!!!!!!!!!!!!

!!!!!!!

A picture is worth a thousand worms!!!!!!!!!!!!

!!!!!!!