Is this nothing to worry about or the death knell of the internet?
I don’t see how this could actually be dangerous. The virus requires the user to first install an extractor program capable of decoding and running code imbedded in a picture file. If the used doesn’t have the extractor file, they can’t be affected by an infected JPG. So you have to already be infected through conventional means before this virus can infect you. What’s the point?
That’s what I thought too, but then there’s this part…
Vincent Gullotto is head anti-virus researcher at McAfee Security, so I assume he knows a bit about this stuff. Of course, it is not even a direct quote and it wouldn’t be the first time that a newspaper misrepresented a science or tech fact to make it seem a little more sensational.
How would putting the entire virus code into a JPEG help infect virgin machines? I’s be more worried if the JPEG decoder/encoder virus rode in as a payload on, say, the Klez virus… :eek:
While I was an IT Manager for a local construction company, we had a virus that wiped out tons of jpg files. I wish I could remember off the top of my head what virus it was, I recall we weren’t getting good back-ups then though.
In either case, this is not that “new” to the idea of wiping out jpg files as it has happened in the past.
Your best bet is to ensure you have a clean and restorable back up at all times.
There was some talk and boasting here on the board a while back from a driveby claiming that he could embed an active virus into a jpeg by making the file misreport it’s size - this would allegedly cause some sort of buffer overflow and write the extra bytes to memory somewhere; I’m skeptical - it sounds possible, but that still wouldn’t be nearly enough to make it an active virus - just a pile of bytes in memory that don’t belong to any process.
Even if such a method was possible (which I doubt) it could easily be counteracted by a patch on your browser that prevented jpegs misrepresening their size. So it wouldn’t mean the end of the web as we know it.
I think the idea of the embedding the decoding code within the jpeg is a non-starter. It’s a chicken and egg situation, you can’t have the decoder without decoding a jpeg, you can’t decode a jpeg without the decoder. Reminds me of a collegue who required winzip, so another collegue helpfully emailed him a copy… as a zip file. (As good a reason as any to use the new smiley: :smack: )
That article confirms what we have known for a long time: A lot of the time reporters haven’t a clue about the topic they are reporting.
It also confirms the fact that McAfee hypes the slightest virus threat unmercifully, even if there’s no real chance that the virus is any problem.
It’s highly misleading – the code is embedded in a JPEG, but so what? Opening that JPEG is harmless – unless you’ve downloaded the extractor. That mechanism alone would keep the virus from being a problem. As long as you don’t run the extractor, it’s safe. The virus is the extractor, not the JPEG.
Note, too, that this is merely a proof-of-concept virus. That means its not in the wild and speading to machines.
I have had little respect for McAfee since the Bubbleboy hype. They are only interested in putting out scary sounding “alerts,” not in real virus research.
Since you have to be infected with the extractor first, this is only as dangerous as any other virus. However, one complication is that extractor virus could be spread quietly for a while and only be activated when the .jpg virus is unleashed. Again, this isn’t very different than a traditional virus that is set to activate on a certain date (e.g. Michaelangelo?).
The extractor virus runs by associating itself with a file type (in this example .jpg). To disable it, you would merely associate another program with that file type. The Windows OS could plug the hole by requiring user verification before changing file associations or by allowing you to lock file associations altogether. This would be a nice feature anyway, since I am sick of my programs fighting over who is boss of my file associations.
Either I don’t understand this statement or I think it is wrong. The whole point of the article is that now .jpg files can be dangerous because of the extractor virus. Then this statement implies that the extactor virus is not even necessary. I think it was supposed to mean that the extractor virus could be silent and harmless, and the .jpg virus could be deadly.
I have an ongoing debate with my boss about what can and can’t be a virus; he’s convinced that it’s possible to embed a virus in just about anything, even a plain text file, I keep trying to tell him that such a virus will only be activated if some application attempts to treat the infected text file as some sort of executable (e.g. a script), but he remains firmly paranoid; It’s cripplling our connectivity and communications options as we are only allowed to send and recieve mail from a stand-alone machine which is isolated from the LAN.
Mangetout, have you suggested to your boss that he may be infected with the Idiot Virus?
BTW, I think this precisely describes a security hole in a certain version of Netscape. (4.0 I think, there was a thread about it a while back.)
Here’s a link to the thread that has info on the Netscape .jpeg security hole. There is also a link to test if your version of Netscape is vulnerable.
Slashdot seems to have the straight dope on this .jpg nonsense. No doubt some sort of nuclear variant will be the next big threat.
OTOH, a gaping security hole was found recently in the zlib standard library. zlib is used in gif decompressors, zip, some Microsoft decompressors, etc. It is quite widespread.
It was found that if a particular sequence of wrongly encoded data was fed to zlib, then a buffer overflow condition occurs. Buffer overflows are a standard exploit for breaking into systems.
Hence, it is quite possible to get infected just viewing a gif, even though a gif is obviously not an executable.
Many think these kinds of exploit will become more common. A seemingly harmless, non-executable, file is passed around. When opened it breaks the viewing program, which then leads to the exploit.
So, have you upgraded all you zlib based software in the last 6 months? Do you even know what software uses zlib?
I thought so.