I’m not looking for malware code just a technical explanation of how this is even possible. An image file is simply (as far as I know) a string of data beng read out and represented graphically. I don’t see how an external function is going to be called up in this process and allow an invasion of malware.
The process is most likely buffer overflow., as described very vaguely below.
A purely hypothetical example:
I need to read some image out of a file, I know that the file format allows for a field inside that contains some camera stats (say a maker note, or some such) and this length is limited by 128 characters. However, the actual length of the field is determined by a terminating string (say 0) so if it says "Samsung Camera"0 I know the string is 14 characters long when I reach that 0. Say a careless programmer allocates 128 characters of memory and then reads in the string until he sees a 0.
A malicious coder can create a file that has that field longer than 128 characters, so the buggy program will actually overwrite other memory after it runs out of the buffer (because it only stops when it sees a 0), if you are crafty and careful you can overwrite executable code of the program itself like this leading to an image file that has an executable payload.
I hope this explains it.
Groman
groman,
normally that would be the likely cause. but in this case it might be an ill-advised “feature”
more specifically at duckster’s link here
So basically, back when these file formats were made in the early '90s, they programmers inserted a “feature” that allowed the file to call up external applications, but it was only discovered by hackers recently?
There was a story some time ago about malicious code being hidden in JPEGs, but you would have to have had downloaded the launching program beforehand.
I wonder if this is related?
Pretty sure that buffer overflow is an issue with older operating systems, but has been designed out of Windows XP. Is that right?
Is it possible for executable code to be written directly to memory through a buffer overflow exploit and then somehow executed?
Buffer overflows are not designed out of Windows XP.
FAIK, all operating systems Microsoft has ever produced* are capable of experiencing buffer overflows in both the system elements and applications installed on the system after OS installation.
There is a semi-optional [1] piece of software included in Windows XP Service Pack 2 called (IIRC) Data Execution Prevention that claims to reduce or eliminate buffer overflows on PC that it protects.
I have not seen enough documentation to have a professional opinion on whether or not DEP is wholly effective.
I have seen it “take down” allegedly misbehaving applications including a friend’s copy of MS Windows Explorer when he was browsing into a directory full of pirated pornography with preview mode enabled. That behavior may give credence to hopes that DEP can prevent the kind of exploits referred to by the OP. I suspect pirated porn is as likely as any category of non-executable data to be infected with exploits utilizing buffer overflows.
I’ve also seen it take down a couple of (legal, I promise) video games on my PC when they misbehaved.
Additionally, a proprietary security alarm control panel programming application that I support at work won’t even finish installing without DEP turned off for some of its files. I hope to Og that is a misunderstanding on MS’s part, and doesn’t indicate that one of the biggest alarm manufacturing companies in the US is too stupid to write an installer without buggerring its overflow or executing its data.
- Actually, I don’t know enough about OS/2 to speculate one way or the other.
[1] The default state of Data Execution Prevention in SP2 appears to be “Enabled for System but not Applications”. My employer turns it to “Enabled for both System and Applications” on its computers.
Yes. A goodly number of hacks of precisely this variety exist, and I would submit the damage caused by them annually ranges somewhere between USD 100M and 10B.
I’d be depressed but unsurprised if my estimate was low.
A good percentage of ‘exploits’ are of the buffer-overflow type. groman’s explanation is a good one, but the type here, as mentioned, is a ‘feature’ being maliciously used.
IMHO the article Duckster links to is being way too nice. Microsoft has repeatedly been at the forefront of virus and worm gathering technology: First to be able to get infected by email (Outlook + various script support), first for document files (Office + macros), web pages (IE + ActiveX), video (WMV + DRM support), and first for image data files (WMF + embedded code)
What makes this one particularly bad is that you don’t have to do anything with an infected file to get hit. Here’s a slightly more detailed FAQ that includes some things you can do for now (As there’s no patch from MS yet).
Is it correct to read that this only works through .WMF files?
Well, recall that you can name a file whatever you want. The file could be called ‘happyimage.jpg’ and still be a .WMF file and still be able to infect you.
Sucks to be the person who tries to view that file on a Windows machine.
OK, so the file might be called “whatever.jpg”, but is the actual extension still *.wmf? If I right click on it adn get the properties, will it tell me it’s a wmf image, or can they actually rename the file type to a jpg, and sicne they are both images, Windows will open them with the same program, and therefore after opening, it will see it’s a wmf, and execute the code?
As is any operating system. There were (and probably still are) buffer overflow problems in Linux and Macintosh; it’s just that people aren’t working quite so hard to find them.
It’s next to impossible to cover and prevent all potential buffer overflows. And, as this indicates, it can take years to uncover them.
Windows can look at the headers at the beginning of some file types to determine what applications can open said file. If you double-click on a file in Explorer, it can do that. Obviously WMF files are one of the file types it recognizes by header…
What might be safe in the case we’re discussing here would be opening an image editing application like Paint Shop Pro or GIMP and then doing a File → Open on the file in question.
I’m not doing that on my work PC, here, or either of my personal PCs at the house, though.
I am not a PC user and therefore my consciousness of what’s going on with PC architecture is far from dead-on accurate, but aren’t the later chips of the Pentium family set up so as to reduce the likelihood of executing code in buffer overflows?
e.g, here, go to post #6.
AHunter3,
Actually, your link appears to describe the hardware feature activated by the Windows XP SP2 software feature called Data Execution Prevention I discussed in my post #9 in our current thread.
I could be wrong, in which case I’d love to be corrected.
As an aside, I believe that the Intel x86 and clone lines of chips may very well have been the only modern line of chips to not uniformly feature the ability to tag space in memory as non-executable.
I’m thinking Motorola chips (All Macs until real recent), Sparc chips (Sun Micros since Bill Clinton), etc have supported that for a decade or more. Don’t know about DEC Alpha, but I’d be surprised if it didn’t. Same for SGI MIPS.
No clue about DEC VAX and old IBM S360 mainframes…
That page starts to load for me (in Firefox 1.5), but then goes completely blank.
To recap, buffer overflows are a security threat, and are a result of sloppy programming. In the past, they have been exploited in JPG files for example. But the WMF threat is not a buffer overflow, it’s exploiting a feature that was built-in to WMF files, for an image to have an embedded executable function. Somehow, malicious coders have just recently discovered that. I guess because nobody uses WMFs.
is the advise given at this site accurate?
I always thought that messing with the Register is way beyond the abilities of mere mortals like me who dont know nuthin’ 'bout the innards of their computers.
should I do this on my brand new pentium with a 64 bit intel processor and Window XP Home edition?