www.msnbc.msn.com/id/6125131/

I had heard of this flaw previously, but apparently it's starting to show up.  

If you're using IE, and visit a website that has a malicious JPEG embedded in it, your computer could be affected.  There is a bug in the JPEG display engine that allows up to 2500 bytes of code to be arbitrarily executed that can infect your computer.

I'll say it again, please run ANYTHING but IE!  I personally use Firefox, but anything else would be OK too.

GET MOZILLA!!!!

But if the flaw is in the JPG file format, will using Mozilla prevent it?

.

Incidentally, This exploit only applies to Windows XP flavors.....

But it's ONLY this one thing....  Internet Explorer is inherently insecure, as it's been DESIGNED as an integral component of the operating system since day 1.........

Way too many possibilities for problems there, poor design.....

+1 on using Mozilla, Or, even Netscape

1000 times better...  Both are essentially the same code, much safer AND have a pile of infinitely better features.....  

Opera is another option as well.....

IE is a suffocating dinosaur..... But unfortunately that's to be expected from Micro$oft........

Quoted: But if the flaw is in the JPG file format, will using Mozilla prevent it?

The flaw is in a DLL used by many microsoft products for processing jpeg files.  The issue does not affect Mozilla.

Remember the Alamo, and God Bless Texas...

.

OK, how do I swtich to a better internet program?

Simple fix to the .JPEG problem, don't go to those sites.

.

Mozilla isn't without its flaws. I just got a CERT advisory for it last week.

Patch your IE with the GDI+ security patch and go on.

Quoted: Incidentally, This exploit only applies to Windows XP flavors.....

Not quite.  It only applies to WInXP and Win2K3, because 95, 98, Me, NT4 and Win2K didn't ship with the DLL.  However, it get's installed by a bunch of applications, and the dll can be installed by any .NET  enabled MS compiler like Visual Basic .NET, Visual C# .NET, Visual C++ .NET or Visual J# .NET.

The list of applications that install and use the affected DLL are:

.NET Framework 1.0 SDK Service Pack (SP) 2
.NET Framework 1.0 SP 2
.NET Framework 1.1
Digital Image Pro 7.0
Digital Image Pro 9
Digital Image Suite 9
Excel 2002
Excel 2003
FrontPage 2002
FrontPage 2003
Greetings 2002
InfoPath 2003
Internet Explorer 6 SP 1
Office 2003
Office XP SP 2
Office XP SP 3
OneNote 2003
Outlook 2002
Outlook 2003
Picture It! 2002 (all versions)
Picture It! 7.0 (all versions)
Picture It! 9 (all versions, including Picture It! Library)
Platform SDK Redistributable GDI+
PowerPoint 2002
PowerPoint 2003
Producer for Microsoft Office PowerPoint (all versions)
Project 2002 SP 1 (all versions)
Project 2003 (all versions)
Publisher 2002
Publisher 2003
Visio 2002 SP 2 (all versions)
Visio 2003 (all versions)
Visual Basic .NET Standard 2002
Visual Basic .NET Standard 2003
Visual C# .NET Standard 2002
Visual C# .NET Standard 2003
Visual C++ .NET Standard 2002
Visual C++ .NET Standard 2003
Visual J# .NET Standard 2003
Visual Studio .NET 2002
Visual Studio .NET 2003
Windows Server 2003
Windows Server 2003, 64-Bit Edition
Windows XP 64-Bit Edition 2003
Windows XP 64-Bit Edition SP 1
Windows XP and XP SP 1
Word 2002
Word 2003

Remember the Alamo, and God Bless Texas...

.

Quoted: you guys wait until the browser war swings in favor of mozilla. it's not a highly secure browser either. the only thing going for the others is low user count. when they are worth the effort to exploit watchout.

Of course, you do have a point.  The dominant browser will always be the target.  However, the problems with IE is that it is part of the operating system.  It has the ability to do things unchecked that Mozilla does not since it is just an application.  ActiveX is horribly implemented, and in newer versions you can't even disable it.  The way Microsoft deals with downloaded content in IE and Outlook is also horrible. XP SP2 changes the way IE handles ActiveX and downloaded content, but the improvements will only be made on XP at this time, with 2K3 being upgraded sometime in the future.  

Do you want to know something funny?  There are people at Microsoft in Redmond who have switched from IE to Mozilla.

Remember the Alamo, and God Bless Texas...

Quoted: Quoted: Incidentally, This exploit only applies to Windows XP flavors..... Not quite.  It only applies to WInXP and Win2K3, because 95, 98, Me, NT4 and Win2K didn't ship with the DLL.  However, it get's installed by a bunch of applications, and the dll can be installed by any .NET  enabled MS compiler like Visual Basic .NET, Visual C# .NET, Visual C++ .NET or Visual J# .NET. The list of applications that install and use the affected DLL are: .NET Framework 1.0 SDK Service Pack (SP) 2 .NET Framework 1.0 SP 2 .NET Framework 1.1 Digital Image Pro 7.0 Digital Image Pro 9 Digital Image Suite 9 Excel 2002 Excel 2003 FrontPage 2002 FrontPage 2003 Greetings 2002 InfoPath 2003 Internet Explorer 6 SP 1 Office 2003 Office XP SP 2 Office XP SP 3 OneNote 2003 Outlook 2002 Outlook 2003 Picture It! 2002 (all versions) Picture It! 7.0 (all versions) Picture It! 9 (all versions, including Picture It! Library) Platform SDK Redistributable GDI+ PowerPoint 2002 PowerPoint 2003 Producer for Microsoft Office PowerPoint (all versions) Project 2002 SP 1 (all versions) Project 2003 (all versions) Publisher 2002 Publisher 2003 Visio 2002 SP 2 (all versions) Visio 2003 (all versions) Visual Basic .NET Standard 2002 Visual Basic .NET Standard 2003 Visual C# .NET Standard 2002 Visual C# .NET Standard 2003 Visual C++ .NET Standard 2002 Visual C++ .NET Standard 2003 Visual J# .NET Standard 2003 Visual Studio .NET 2002 Visual Studio .NET 2003 Windows Server 2003 Windows Server 2003, 64-Bit Edition Windows XP 64-Bit Edition 2003 Windows XP 64-Bit Edition SP 1 Windows XP and XP SP 1 Word 2002 Word 2003 Remember the Alamo, and God Bless Texas...

And here is the sad part.  After patching your system, if you install any unpatched software it can overright the fixed .dll with the insecure one returning you to an insecure state.

.

.

Quoted: Quoted: you guys wait until the browser war swings in favor of mozilla. it's not a highly secure browser either. the only thing going for the others is low user count. when they are worth the effort to exploit watchout. keep patches current, use a firewall, antivirus and spyware utility. i have had systems with ALL types of browsers compromised. IE has flaws but so do the rest. My work laptop hasn't had a problem in over 3 years with attacks a viri. my home machine has but that has always been due to my negligence or stupidity. mike +1 And IE actually has the advantage of a huge company full of programmers that release daily updates to their software.  By the time these "flaws" get to the media, they've invariably already been fixed, usually months beforehand.  The only reason it's an "issue" is because people don't update as often as they should, and sometimes not at all.

Daily updates? Flaws already fixed? You're kidding right?  MS has long a list of known security related issues with Windoze and IE that it hasn't addressed.

Firefox has been designed from the ground up with security as the number one priority. That said there is no question that there are going to be security related issues discovered as the product matures and  receives wider acceptance.  The fact remains however that because it simply doesn't have the hooks into the OS and does not support ActiveX it will never be subject to the type of exploits that have plagued MS IE for years.  In addition it is a far superior browser from a user friendly, features and performance aspect.

.

Quoted: OK, how do I swtich to a better internet program?

Download and install Firefox

Quoted: Read my post again please.  I said that "by the time these "flaws" get to the media, they've invariably already been fixed".  Yes, Windows and IE have security issues, just like Redhat and every other piece of software ever written.  Thing is, with maybe a handful of minor exceptions, by the time a real "doomsday, crash everything and we're never coming back" hack is written up for these exploits, the problem has already been fixed. As I said in another post, if you're really that worried about it, run Linux.

I did read your post.  The fact remains that MS has a long a list of known security related issues with Windoze and IE that MS has ignored for years. The other fact that you are choosing to ignore is that when an exploit hits the media and MS does release a fix there are millions of vulnerable machines that are not and may never be patched.  MS for many years designed Windoze and IE to look pretty and ignored the numerous security concerns of the industry.  It is only recently with the release of SP2 that they have paid more then lip service to some of the known security issues.

In any event Firefox is a superior browser to MS IE and the official 1.0 release isn't out yet.

.

Quoted: you guys wait until the browser war swings in favor of mozilla. it's not a highly secure browser either. the only thing going for the others is low user count. when they are worth the effort to exploit watchout.

Wrong, the MAJOR thing it has going for it is that the program is open source.  That means that many more people will be looking at it's guts than MicroSoft will ever have working on IE.

That and the people coding for FireFox are less interested in cute shit that allows M$ to dominate the market and more interested in building a small, fast, well designed browser.

If you really think the only advantage of FireFox over IE is the reduced user count, you're not being honest with yourself.

Quoted: Wrong, the MAJOR thing it has going for it is that the program is open source.  That means that many more people will be looking at it's guts than MicroSoft will ever have working on IE. That and the people coding for FireFox are less interested in cute shit that allows M$ to dominate the market and more interested in building a small, fast, well designed browser.

We have a winner!

It's amazing the difference in the program when the programmers are aiming for "small, fast, and robust."

When I'm browsing the internet, I don't need Jar Jar Binks to jump onto my screen and start singing and dancing, I just need to view webpages.

Those of you who think that using Mozilla or Firefox will protect you from web browser exploit attacks are sadly mistaken...

www.us-cert.gov/cas/techalerts/TA04-261A.html


Even with the much smaller user base, hackers are constantly developing exploits on the non-IE browsers.

Safe Internet use is not as simple as picking a different browser.

Yeah and it will destroy your hard drive forever -- and the hard drive of all the people you know or ever will.......... please.

I'll take a browser that is compliant to established web coding standards over something that does things it's own way just because it can anyday.

I gave up on IE years ago. I use it now only for looking at IE specific sites, and Microsoft Update. Everything else = Firefox.

I know about the Windows security flaws, too, but if you want to game, and I game a lot, you have to use a Microsoft OS. That being said, I have 2 different spayware scanners installed on each XP box, along with Norton AV. I use Thunderbird for my email client, and Trillian for IM. MS stuff can pack sand.

Try using Opera www.opera.com. I've been using it for several

years with no problems. It's much faster than IE. If you switch, you'll never go back! imho

Quoted: Those of you who think that using Mozilla or Firefox will protect you from web browser exploit attacks are sadly mistaken... www.us-cert.gov/cas/techalerts/TA04-261A.html Even with the much smaller user base, hackers are constantly developing exploits on the non-IE browsers. Safe Internet use is not as simple as picking a different browser.

Nice thing about Mozilla is that they patch the browser almost immediatly when an exploit is found.

These Mozilla products are safe (noted in the CERT bulletin)
   * Mozilla 1.7.3
   * Firefox Preview Release (version 1.0 Preview Release)
   * Thunderbird 0.8

Quoted: Quoted: XP SP2 changes the way IE handles ActiveX and downloaded content, but the improvements will only be made on XP at this time, with 2K3 being upgraded sometime in the future.   <ahem>  Why exactly would someone browse with a 2k3 Server?

MS claims it's part of the operating system, and browsing is done from servers often.  I've worked at a handful of Fortune 100 and 500 companies over the last decade, and all used browsing on the server at one time or another when someone was terminal serviced in.  Bad practice, and one I specifically rail against because Information Security is my job, but it still happens.

Remember the Alamo, and God Bless Texas...

Quoted: Quoted: And here is the sad part.  After patching your system, if you install any unpatched software it can overright the fixed .dll with the insecure one returning you to an insecure state. So...  install the patch again?

How many machines are you responsible for?  I've got 8 at home, though only 3 run a windows variant.  However, I have several thousand desktops alone where I work.  "Just apply the patch again," even with an automated patch management system, is a logistical and operational nightmare.  First, if the patch is applie and then another application re-installs the defective .dll, how does the patch management system know?

Answer: it doesn't.

Remember the Alamo, and God Bless Texas...

.

.

warp_asylum: The answer is simple. Bill Gates has to get the bugs out of his software before he sells it to the public. It's rediculous to patch and re-patch some stupid peice of the operating system.

.

Quoted: Those of you who think that using Mozilla or Firefox will protect you from web browser exploit attacks are sadly mistaken... www.us-cert.gov/cas/techalerts/TA04-261A.html Even with the much smaller user base, hackers are constantly developing exploits on the non-IE browsers. Safe Internet use is not as simple as picking a different browser.

I'm not dilusional about the fact that Mozilla based browsers have problems.  Hell, Firefox is still in prerelease stages, so some bugs are to be expected.  However, there are two big differences:

1) Those bugs you mentioned are discovered by a programming process called "peer review".  The fact that the browsers source code is scoured over by thousands of people allows quick implementation of fixes, where alot of problems with IE are discovered when exploits cause problems.  Security through obscurity is not a viable model for software, ask any software engineer with experience.

2) The BASIC design of IE is built around a scripting engine and ActiveX.  Both are designed to run code on the client machine.  Both are poorly implemented.  Mozilla instead chose to use the proven Sun javascript engine.  Do a google for sun and microsoft javascript engines and see which one is more robust and stable.

Look, I realize many IE and Outlook people are blindly faithful Microsoft users.  The rest of us need to evaluate our tools and use the products which cause the least problems.  Those problems are not Microsoft products and will likely never be.

There's no such thing as zero defect code. Period. Especially when it comes to operating systems. Quite simply, there's too many hardware variables and that is outside the control of the software developer.

People who bitch about code are generally infrastructure/network people with little practical programming experience at the enterprise level.

ETA... If you don't think MS implements eXtreme programming and peer review, you've obviously never been in the building in Redmond.

I know Microsoft has a competent programming staff.  It's impossible to put a project together of the size of any of their software packages with a bunch of sub-par programmers.  I realize that they go through peer review.  I also think that some of the choices being made by the upper management levels at Microsoft are not necessarily aligned with bringing a stable product to market, but more aligned with dominating the market.  

To that effect, they make everything more user friendly for the not so savvy computer user.  Unfortunately more times than not that means that the software is less secure.  And with the current availability of always on high speed internet connections, that security deficiency becomes very apparent, because unlike the average computer user, the malicious hacker is becoming more computer savvy, not less.  

I predict a huge swing in the consumer software industry in the next 5 years.  Security will become the main target of software applications over ease of use.  Many products are already going that way.  Microsoft will have to adapt.  They're already trying, but it's hard to change the entire model of your company overnight.

Quoted: There's no such thing as zero defect code. Period. Especially when it comes to operating systems. Quite simply, there's too many hardware variables and that is outside the control of the software developer. People who bitch about code are generally infrastructure/network people with little practical programming experience at the enterprise level. ETA... If you don't think MS implements eXtreme programming and peer review, you've obviously never been in the building in Redmond.

Well, it's not "the building", it's several city blocks in two major campuses plus several outlying sites.

And I have worked for the Evil Empire (Microsoft).  You obviously don't know what you're talking about.

"Zero defect code"?  Fine, *that* doesn't exist.  But what people are bitching about are major gaping security flaws that Microsoft takes months or years to fix, or that they claim are "features".

Microsoft's "eXtreme programming and peer review" is a joke.  The basic process is, someone in management decides to copy another company's product because Microsoft thinks it'll be cheaper than either sabotaging the other company out of existence or buying it outright.  So marketing gets together and decides what features they will cram into it, no matter how conflicting or pointless the features are.  They give the engineers a deadline and say go to it.  Half the features get weeded out because of deadline constraints.  Then the marketing weasels come back and say, hey guys, we're delaying it by six months because we absolutely MUST have the ability to switch between the dancing paperclip and a bouncing red ball!  If we don't, nobody will buy it!  Ok, so the engineers rework a bunch of stuff, add in the features, and marketing comes back and says, slip it another month so you can add an entire scripting language.  But that will take six months, not one, scream the engineers!  Too bad, says marketing, just skip testing and let the dumbasses who buy it do the beta testing.  Oh yeah, and send your intern over to the tech writing room so that someone can put together a user manual.  But the intern doesn't know dick!  Well, who cares, it's not like anyone will read the stuff!

Peer review?  What a crock.  The programmers are far too busy slapping in new features to bother with reviewing each others' code.  I don't know anyone who bothered back in 1999, and I doubt it changed until at least Bill's big "secure system" push a couple of years ago -- given the garbage they continue to dump out, I doubt it changed then, either.

BTW, in case you doubt me:  Building 32, "Pebble Beach", take the driveway south off 40th and you'll see the red brick buildings on your left.

ABTW, I don't websurf using IE from my home machine.  That's what Morphix is for.

Quoted: While it is a big deal that there's another flaw(big news), an active antivirus will take care of it. Move on people, nothing to see here that you already haven't seen.

Oh no it won't.  At least not by default and even then it very well may not.  IE buffers the image before displaying it or executing it.  That means it is already loaded into your computer before antivirus software scans it.  Stopping it at that point may prove troublesome.  All antivirus scanners exclude non executable files by default.  .jpg would not normally be considered an executable and therefore escapes a scan.

Download and install Service Pack 2 for XP.
This covers the said flaw with JPEGs and vulnerability.  All versions of Windows including XP without SP2 can be affected....

Quoted: Download and install Service Pack 2 for XP. This covers the said flaw with JPEGs and vulnerability.  All versions of Windows including XP without SP2 can be affected....

Ummmm . . . no, it doesn't.

Reports are coming out now about patched computers continuing to be infected, because Microsoft in its infinite wisdom put the code in different places for different packages.  So you have to install an update for the OS, an update for MS-Office (if you have it), an update for Visio, an update for . . . .

Oh -- ETA, some folks are claiming that the patch doesn't fix the problem in all cases, either -- the patch still has the bug, just not quite as bad.  I dunno about that.

I'd just like to reiterate my support for Knoppix and Morphix.  They run off a CD (CD-R, CD-RW, take yer pick), so you don't ever have to install them to your hard drive.  If something gets in, it's only in until you reboot.  Remove the CD from the drive, reboot your box, and you are back to using Windoze (or whatever you have installed on the drive).  No worries, mate.  G'day.

Quoted: Quoted: Download and install Service Pack 2 for XP. This covers the said flaw with JPEGs and vulnerability.  All versions of Windows including XP without SP2 can be affected.... Ummmm . . . no, it doesn't. Reports are coming out now about patched computers continuing to be infected, because Microsoft in its infinite wisdom put the code in different places for different packages.  So you have to install an update for the OS, an update for MS-Office (if you have it), an update for Visio, an update for . . . . Oh -- ETA, some folks are claiming that the patch doesn't fix the problem in all cases, either -- the patch still has the bug, just not quite as bad.  I dunno about that. I'd just like to reiterate my support for Knoppix and Morphix.  They run off a CD (CD-R, CD-RW, take yer pick), so you don't ever have to install them to your hard drive.  If something gets in, it's only in until you reboot.  Remove the CD from the drive, reboot your box, and you are back to using Windoze (or whatever you have installed on the drive).  No worries, mate.  G'day.

Well lets see some reports then Mr. Gates , I'm curious if there information on updates and patches is all just lies now?   I guess I should disregard all the critical updates posted and discount as ..... " a report is coming out all the time and I dream in binary ".....You say it doesn't then turn around as say " I dunno about that"...??   Is this Mr. Kerry?  I'd like to see some proof to your claims.  You can go to the Microsoft site to investigate any of mine.

Well, since you brought up a source for the claims, here is what 71-hour is talking about.  BTW, I would hardly consider Microsofts site as sound advise as far as security goes.  CERT, on the other hand, is a neutral observer.  Better to get your info there.  All quotes below are from the following article:

www.us-cert.gov/cas/techalerts/TA04-260A.html

Quoted: Quoted: Reports are coming out now about patched computers continuing to be infected, because Microsoft in its infinite wisdom put the code in different places for different packages.  So you have to install an update for the OS, an update for MS-Office (if you have it), an update for Visio, an update for . . . . Oh -- ETA, some folks are claiming that the patch doesn't fix the problem in all cases, either -- the patch still has the bug, just not quite as bad.  I dunno about that. Well lets see some reports then Mr. Gates , I'm curious if there information on updates and patches is all just lies now?   I guess I should disregard all the critical updates posted and discount as ..... " a report is coming out all the time and I dream in binary ".....You say it doesn't then turn around as say " I dunno about that"...??   Is this Mr. Kerry?  I'd like to see some proof to your claims.  You can go to the Microsoft site to investigate any of mine.

"Other Microsoft Windows operating systems, including systems running Microsoft Windows XP Service Pack 2, are not affected by default. However, this vulnerability may affect all versions of the Microsoft Windows operating systems if an application or update installs a vulnerable version of the gdiplus.dll file onto the system."

In other words, reinstalling an application on a XPSP2 computer can reinstall the vulnerable DLL.

Quoted: Quoted: Quoted: Download and install Service Pack 2 for XP. This covers the said flaw with JPEGs and vulnerability.  All versions of Windows including XP without SP2 can be affected.... Ummmm . . . no, it doesn't. Reports are coming out now about patched computers continuing to be infected, because Microsoft in its infinite wisdom put the code in different places for different packages.  So you have to install an update for the OS, an update for MS-Office (if you have it), an update for Visio, an update for . . . . Oh -- ETA, some folks are claiming that the patch doesn't fix the problem in all cases, either -- the patch still has the bug, just not quite as bad.  I dunno about that. I'd just like to reiterate my support for Knoppix and Morphix.  They run off a CD (CD-R, CD-RW, take yer pick), so you don't ever have to install them to your hard drive.  If something gets in, it's only in until you reboot.  Remove the CD from the drive, reboot your box, and you are back to using Windoze (or whatever you have installed on the drive).  No worries, mate.  G'day. Well lets see some reports then Mr. Gates , I'm curious if there information on updates and patches is all just lies now?   I guess I should disregard all the critical updates posted and discount as ..... " a report is coming out all the time and I dream in binary ".....You say it doesn't then turn around as say " I dunno about that"...??   Is this Mr. Kerry?  I'd like to see some proof to your claims.  You can go to the Microsoft site to investigate any of mine.

Well, gee, (deleted) why don't you take a look in Google?  It took me one search and less than a minute to find Gartner's research report on it:
www3.gartner.com/DisplayDocument?doc_cd=123962

Although this is not the first vulnerability open to exploitation by a specifically crafted data file, this latest flaw is by far the most pervasive in the number of products it affects. All users of any version of Windows, desktop and server, must take immediate steps to secure against this vulnerability. This vulnerability is particularly difficult to fix since Microsoft has enabled developers to run multiple versions of the vulnerable Dynamic Link Library (DLL) side by side. The result is that dozens of different versions of the vulnerable DLL may be in use on your PCs and servers. In the patch for Windows XP and newer OSs, Microsoft uses "central servicing" to override side-by-side applications and direct these to use the updated DLL. However, it is possible that being directed to the newer DLL may break some applications that depend on older versions for compatibility. Even if you have installed XP SP2 (which is not affected) or patched XP or a newer OS, not all of Microsoft's applications can be fixed using central servicing, because they statically link the vulnerable DLL. These applications must be patched individually. Moreover, even though older versions of Microsoft OSs, such as Windows 98SE, ME and Windows 2000 are not vulnerable (they did not include the JPEG handling capability as part of the OS), machines running these systems become exposed upon installation of any vulnerable application. On these OSs, even if you attempt to secure all known Microsoft applications, it is possible that an internally developed or third-party application may contain a JPEG handler (possibly renamed) that is vulnerable. As a result, every workstation must be individually scanned for this vulnerability.

Read it and weep, and while you're at it, poke yourself in the pooper and post pics.

ETA: an apology, after rereading what I wrote before, OK, I didn't have the full facts.  However, I did have the information from a source I know and trust.  The reason I didn't have the full facts is because I don't need them:  I use Morphix for my browsing at home.  At work, I am stuck with IE, and the IT department refuses to let me install Mozilla, so on their heads be it if we get nailed.

However, it was a damn low blow to call me both "Mr. Kerry" and "Mr. Gates".  Men have been de-balled for less.