Dispatches from the Creation Wars

Impending Cyber-Doom?

Posted by Ed Brayton on September 24, 2004
(13)
More »

This comes from Paul Phillips, who, in addition to being one of the world’s best poker players, is also a computer wizard. He’s also not a guy prone to overstatement, so I’m just going to copy it here because I think this is very, very important and I want to hammer home the point to everyone who might read this page – update your Windows software:

The end is near: JPEG exploit proof of concept

It will be a bug like this that will take the whole world down. For the less computery types: a bug in all versions of windows prior to XPSP2 makes it possible for the bad guys to take over a windows machine if you just view a specially crafted graphics file. A public exploit to do just this has already been published.

That means anyone who uses the web, anyone who reads graphics-enabled email, really anyone who uses the network at all is vulnerable to total compromise.

Security people have long feared the appearance of a “zero day” worm, a worm that propagates at maximum speed and exploits a widely unpatched vulnerability. The large majority of the internet, including millions of machines that cannot be reached directly, could be under the control of one or a few people in hours or even MINUTES. Imagine the first thing the worm does after taking over a machine is insert itself in all the HTML documents it can find and email itself to every address it can find.

There are many many companies that are reasonably well firewalled from direct attack from the outside, but where people use windows machines internally to use the Internet. Bam, they’re dead. And once one machine is infected it can attack all the others from the inside of the network, which is much easier.

You can’t even conceive of how bad it could get. Once it’s loose it will be impossible to reign in. Thousands of companies, government agencies, even military branches could be completely paralyzed, all their internal data compromised. Very few institutions would be safe.

I think this is one of the greatest dangers facing the civilized world today. No joke. But people won’t believe it until it happens. Imagine all the fears about Y2K amplified dramatically, but this is much more real than Y2K. Y2K was a very speculative concern because nobody really knew how vulnerable we were. But there’s no question about how widespread unpatched windows systems are.

Be afraid!

What he is referring to is a report that it has now been shown that a specially crafted JPEG image can contain executable commands when viewed using an unpatched Windows system. That means a virus can hide in a picture. Every single webpage that you look at contains jpeg pictures, probably hundreds of them. That means that merely by viewing a webpage, or a picture someone sends you in email, or even by sending you an email without something you recognize as a picture (the background of Outlook stationary is a JPEG file, you just don’t know it), you can get a virus on your computer. This is very, very dangerous. You no longer have to open an attachment to get infected.

If you’re running Windows XP, make sure you have the newly released Service Pack. If you’re running any other windows system, make sure you’re accepting every security update that Microsoft releases to keep up on the patches that fix these types of vulnerabilities. And if you’re not running a virus scan program that blocks viruses in real time, not just when you run a full system scan, get it now. If you don’t wanna pay for it, go to www.grisoft.com and download AVG, a free antivirus program that works quite well. Paul is right, this new discovery makes us much, much less secure in an almost limitless number of ways.

(13)
More »

Comments

  1. #1 carpundit
    September 24, 2004

    Get a Mac.

    I know that wouldn’t really solve the problem, because the world runs on Windows, but I like to gloat now and then over the small victories Bill Gates allows us.

  2. #2 llDayo
    September 24, 2004

    I just want to second your idea for using AVG. I’ve been using it since the beginning of this year and it’s kept my computer nice and safe! I also recommend it to anyone who’s computer I fix (I’m the only total computer literate out of my friends and family so they take my word for it). So yeah, I’m just seconding the motion!

  3. #3 Henrik Ravn
    September 24, 2004

    “I think this is one of the greatest dangers facing the civilized world today.”

    Eaaasy now – no need to panic just yet. While the jpeg thing is interesting, there are other, well-known vulnerabilities that have been unpatched literally for years, and the world hasn’t crashed yet. Remember ‘I LOVE YOU’ or Melissa? That was two pretty succesful worms, and the world didn’t quite end with them, did it?

    Oh, and on the Mac issue … carpundit, you really shouldn’t tell people to get a Mac – OSX isn’t secure (just look at all the security updates), but the obscurity (in numbers, not in image) of the platform ensures that no-one can be bothered to target it. If everybody switched … well, you get the idea. So, shhh ;-)

  4. #4 Bill Ware
    September 25, 2004

    Ed,

    “If you’re running Windows XP, make sure you have the newly released Service Pack.”

    Thanks for the tip.
    B

  5. #5 TikiGod666
    September 25, 2004

    Someone needs to create a special JPEG that contains the patch commands, and send it out as a self-copying worm…

    Just a whacky thought.

  6. #6 Greg Jorgensen
    September 25, 2004

    End of the world as we know it prediction scorecard:

    Wrong: millions

    Right: 0

    It doesn’t matter if the prediction comes from a “computer whiz.” Software expert Ed Yourdon went crazy worrying about the Y2K bug and its supposed consequences. He was wrong.

  7. #7 Greg Jorgensen
    September 25, 2004

    Mac OSX and Linux are more secure than Windows. They aren’t 100% perfectly secure, though (thus the security updates). The Unix architecture OS X and Linux are based on (which predates Windows) does not lend itself as easily to the kinds of exploits that plague Windows. And security exploits are easier to fix on OS X and Windows. Using a Mac will not keep you 100% safe, but it will keep you a lot safer than using Windows.

  8. #8 Henrik Ravn
    September 26, 2004

    Greg said:
    The Unix architecture OS X and Linux are based on (which predates Windows) does not lend itself as easily to the kinds of exploits that plague Windows.
    This is simply not true. All the vulnerability classes found on windows are also found on Un*x. Check out http://www.securityfocus.com.

    And security exploits are easier to fix on OS X and Windows.
    I assume you mean that vulnerabilities are easier to fix on OS X than on Windows. Why?

    Using a Mac will not keep you 100% safe, but it will keep you a lot safer than using Windows.
    Well, yes … but only because the vast majority of computers are running Windows. If the vast majority were running Linux or OS X, I would predict that we would see exploits in the wild at approx. the same rate as we see now. Exploits are targeted where you get the most bang for the buck.

    be well
    -h-

  9. #9 Greg Jorgensen
    September 26, 2004

    The Windows vs. Linux/OS X/Unix security debate has raged elsewhere on the net many times. Here are some reasons Unix (including OS X and Linux) are less vulnerable to the kinds of attacks that plague Windows users (by which I mean worms, viruses, scripting exploits, spyware/adware, etc., not theoretical security exploits).

    1. Windows users generally run as owners/administrators of the system. A casual user with a brand new Windows XP machine has complete administrator control over the OS, although they probably don’t know it. Mac OS X, Linux, etc. are true multiuser systems and users do not have admin privileges (root access) by default. That difference alone is why browsing to the wrong web page can deeply infect the Windows operating system and every file on the PC, whereas the same attack is contained on a Unix system because the user will not have root privileges.

    2. Unix is more transparent. Besides the availability of Linux and Darwin source code, Unix does not have lots of nooks and crannies with proprietary and undocumented formats and data. Unix has no analogue to the Windows registry, system restore database, or the tens of thousands of undocumented and interrelated files in the Windows/WinNT directory.

    3. Better separation of OS layers. Unix and OS X have a clear separation of the OS kernel and the graphical user interface (GUI). Windows does not: user interface code is part of the Windows kernel. So is stuff like script interpreters (roughly analogous to the Unix shell), TCP/IP stack, even the Internet Explorer web browser. An exploit in a Windows application, for example Outlook Express, can be easily leveraged to attack the kernel. Unix-based systems separate the kernel, the GUI, and applications from each other, so it’s much harder to turn an exploit at one level into something that attacks the kernel or the file system.

    4. Unix and relatives are well-documented and well-understood. Windows is a proprietary system where most of the inner workings are not publicly available. Users and developers must trust Microsoft to protect them; they have no objective way to test or confirm security issues. Aside from Microsoft’s sketchy release notes even technical users don’t know the details of what XP Service Pack 2 does to their system. OS X by comparison is much better understood by people outside of Apple, and finding out what a patch or update changed is possible for those of us who want to know. In the Unix and Mac OS X world third-party developers can release protection and work-arounds; in the Windows world only Microsoft understands the OS.

    Mac OS X has, to date, not suffered a serious security exploit. Apple (and others) have released patches/workarounds for the discovered vulnerabilities, usually within days. Also note than several of the Mac OS X vulnerabilities are actually in the Java VM. Patches/fixes propagate even faster in the Linux world. While Unix systems have their share of vulnerabilities reported (a la securityfocus.com) few of those are ever exploited, and many (if not most) of them are theoretical exploits that are reported for transparency reasons, not because the OS was actually attacked. And it stands to reason that the Unix community will have more reports in security focus: Microsoft does not report vulnerabilities they find in their own code, and because their system and source code are closed, no one else can look for vulnerabilities.

    When a problem is found in OS X or Linux it’s almost always found by “the good guys” and fixed right away; the reports in Security Focus are not reports of exploits. By contrast Windows exploits are usually reported after they are exploited and someone outside of Microsoft figures out how it was done.

    I’m not as good as Bruce Schneier at explaining this; I recommend his books and web site (counterpane.com, especially the crypt-o-gram newsletter) to anyone interested.

    No doubt OS X and Linux will attract more hackers if their market share increases. Windows dominates the desktop, so it is of course subject to more attacks and used my many more technically unsophisticated users.

    But, Unix-based servers are right now more common than Windows-based servers, and so are presumably equally at risk. Servers are (we hope) configured and managed by trained technical professionals, not my mom and dad. But Windows servers suffer many more hacks than Linux/BSD/etc. Anyone who has managed a room full of servers knows that the Windows machines are more vulnerable and require significantly more security configuration and updating than a Unix system. One sys admin told me a joke about his room full of about 100 Windows and Unix servers: he said you can tell which servers are running Windows because they have the chairs in front of them.

    The five computers in our house (used by me, my wife, and our three kids) are all either Macs or PCs running Linux. We don’t have spyware, adware, viruses, worms, or any of that junk. Maybe they’ll come looking for us some day, but right now OS X and Linux are not only rare, they are harder targets.

  10. #10 Greg Jorgensen
    September 26, 2004

    I still have a copy of Ed Yourdon’s books “Time Bomb 2000″ and “Y2K Survival Home Preparation Guide” if anyone needs them. Different catastrophic computer bug, but the advice on moving to New Mexico, building a bunker, and stockpiling food is still fresh, and probably as ridiculous as it was five years ago.

    I expect a little less crudulity on this blog. Some viruses that exploit the flaw will go around, many people will be inconvenienced (or worse). Companies and governments will waste billions repairing the damage. It happens all the time. However civilization will not come to an end, and we won’t end up as extras in “Mad Max: Beyond The Thunderdome.”

  11. #11 Ed Brayton
    September 27, 2004

    Okay, this is the last time I post on any computer issue. Listening to computer dorks argue about Unix vs. Windows is about as fascinating as hearing rednecks rehash the ol’ Ford vs. Chevy debate with their terribly clever acronyms for what each name stands for. Despite all the nonsense, I think Paul’s point is essentially correct – a virus that can be hidden in a jpeg file is going to spread both faster and more widely than any other kind of virus and that means it is uniquely dangerous and poses a threat. Perhaps the “end of civilization” rhetoric was overblown a bit, but his basic argument, that our reliance upon technology has made us vulnerable to such a threat, remains true regardless of the inane details. Now let’s please let this be the end of it.

  12. #12 Steve
    September 27, 2004

    Good Morning
    Fords are by far and away the better vehicles
    Steve

  13. #13 Greg Jorgensen
    September 27, 2004

    If you’re going to use words like dork, inane, and nonsense, I’m not going to stop.

    as fascinating as hearing rednecks rehash the ol’ Ford vs. Chevy debate

    Well it’s fascinating if you’re a redneck, I guess.

    I think Paul’s point is essentially correct – a virus that can be hidden in a jpeg file is going to spread both faster and more widely than any other kind of virus and that means it is uniquely dangerous and poses a threat.

    We’ve had viruses that spread by simply opening an email or navigating to a web page — no JPEG viewing required. This threat is not uniquely dangerous, though it does pose a threat. Fortunately we’ve experienced enough of these threats to predict what will (and will not) likely happen.

    his basic argument, that our reliance upon technology has made us vulnerable to such a threat, remains true regardless of the inane details

    No doubt true, but that argument has been around as long as technology. The sky has been falling ever since fire was discovered. It’s the Prometheus story. Mary Shelley rewrote that fable as a techno-horror story over 100 years ago.

    Seriously, the Y2K bug hype vs. reality should have put an end to these geek panic stories for good. To us dorks these virus terrors are the equivalent of shamans in Nigeria telling mothers that polio vaccination is a plot to infect their kids with AIDS.