By Dan Ilett, 30 September 2004 09:15
NEWS Antivirus software looks as if it will struggle to protect corporate networks from the latest Windows vulnerability - innocent looking JPEG files that contain security attacks.
According to director of antivirus research for F-Secure Mikko Hypponen, antivirus software will strain to find JPEG malware because by default it only searches for .exe files.
"Normal antivirus software by default will not detect JPEGs," said Hypponen. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things."
There are around 11 similar file extensions that JPEGs can be changed to, such as .icon or .jpg2. Hypponen said that this would make searching for malicious JPEGs even more difficult because it could take up a significant amount of valuable processor power.
Internet Explorer processes JPEGs before it caches them. That could also mean that desktops would become infected before antivirus software had a chance to work.
"This means that it is not enough to scan at the desktop," said Hypponen. "You have to scan at the gateway, but this will put a huge load on your bandwidth."
Hypponen said that he expected a virus attack using the exploit to occur soon: "There has been so much interest in this vulnerability that someone is bound to do this. But saying that, there was a similar vulnerability found two months ago in Bitmaps, and no one has exploited that yet."
Yesterday code that exploits the way Microsoft Windows processes JPEGs was posted to US newsgroup Easynews. Hypponen wrote on the F-Secure weblog that this was not a virus because it had no way of spreading. In order for the code to infect a machine, a user must download the image it purports to be and view it in Windows Explorer.
Yesterday Microsoft hit back at critics over its handling of the vulnerability. In a prepared press statement, it said: "Microsoft does not consider this a high risk to customers given the amount of user action required to execute the attack and is not currently aware of any significant customer impact. We will continue to investigate the situation and provide customers with additional resources and guidance as necessary."
Dan Ilett writes for ZDNet UK
Comments
There are 3 comments. Join the discussion
1. Gerald Hornsby
So we have Mikko Hypponen saying it's trouble, and Microsoft saying it's not going to be a problem.
Red rag to a bull, anyone?
Gerald
2. dave beall
Well, so it is....another little problem to chase down....i am no expert...so can u say how to find it, where to look....if i can find 1 in this machine, it will be gone...
3. Barnendu Goswami
I tend to side with Mikko I'm afraid. It's also somewhat odd that a lot of 'professionals' haven't taken this all that seriously. I think in part, this is due to the red herring nature of the threat from images in the past. How many times have we read: "Don't click on jpegs, etc.".
The truth was; they were other file-types, masquerading as images or video, through filename exploitation (whoever thought of "Hide known file-extensions" should have been drowned at birth!).
Recent vulnerabilities have been real, but I think the true extent of the problem is not really perceived by the majority of non-specialist/security IT staff.
I think this one could be a royal pain in the ar*e.