Security Watch : Don't get burned by viruses and hackers.
Why you should switch to
Firefox now |
|
By Robert Vamosi  Senior editor, CNET Reviews September 24, 2004 |
 |
 |
Can you imagine the Internet without pictures? A new flaw in the way Windows, and therefore Internet Explorer, renders JPEG images--one of the most common image formats on the Web--should make you think twice about whether you should display them. At the very least, it should nudge you into considering an alternative Internet browser, such as Firefox.
The code to exploit this flaw is now public. Usually, exploit code release is the first step toward a new virus or worm, and as we have seen before, the time from exploit to virus is generally about two to three weeks. In other words, the clock is ticking.
|
Exploit code release is the first step toward a new virus or worm…In other words, the clock is ticking.
|
|
The GDIplus vulnerability, in a nutshell
If you use a Windows operating system older than Windows 2000 or have already updated to Windows XP SP2, you're immune to the flaw. There are many ways to render JPEGs, but the Graphic Device Interface plus DLL, or gdiplus.dll, is enabled only in Windows 2000 and Windows XP. Because gdiplus.dll is vulnerable to a buffer overflow attack, malicious code lurking inside an infected JPEG file could allow new, potentially malicious code to take over the use of your computer (or, at the very least, crash it). Unfortunately, the apps that run in Windows 2000 and XP are also vulnerable.
Microsoft Office is vulnerable
The list of these vulnerable apps is not short and includes:
Microsoft .Net Framework 1.x
Picture It Digital Image Pro 7.x and 9.x
Digital Image Suite 9.x
FrontPage 2002
Greetings 2002
Internet Explorer 6.0
Office 2003 Professional Edition
Office 2003 Small Business Edition,
Office 2003 Standard Edition
Office 2003 Student and Teacher Edition
Office XP
Outlook 2003 and 2002
Picture It 2002, 7.x, and 9.x
PowerPoint 2002 and PowerPoint 2003
Project 2002 and Project 2003
Publisher 2002
Visio 2002, Visio 2003
Visual Studio .Net 2002 and 2003
Word 2002
Now, what happens if you patch your system with Windows XP SP2, then load one of the above apps? Believe it or not, the potential exists for that app to overwrite the patched gdiplus.dll with an older, more vulnerable version. You can see what a nightmare this has become already. Thus, Microsoft has posted a free online tool to assess the current vulnerability of your computer.
|
By refusing to offer separate security enhancements for Internet Explorer, Microsoft is essentially saying that anyone who hasn't yet upgraded to Windows XP won't be protected from future exploits.
|
|
What if you don't use Microsoft apps on your Windows computer? Surprisingly, your solution might be even more complicated.
Macromedia products not vulnerable
Some non-Microsoft apps, such as those from Macromedia, also regularly use JPEG files. Turns out, some Macromedia apps do install the vulnerable gdiplus.dll, but they actually use the Microsoft graphics library instead to process JPEGs. That means products such as Macromedia Contribute, Dreamweaver, Fireworks, Flash, Flashpaper, FreeHand, RoboSource Control, and Studio MX are not affected by the GDI flaw. Nonetheless, if you do load any of these apps after you've patched your system, make sure they don't overwrite the patched version of gdiplus.dll. To find out more about software vulnerability to this flaw, see this US-CERT document for more details.
Microsoft: Upgrade to Windows XP or else
In a separate but related development, Microsoft announced that future security enhancements for its Internet Explorer will be available through its Windows XP update service only. By refusing to offer separate security enhancements for Internet Explorer, which is the main vector for any JPEG-related worm or virus, Microsoft is essentially saying that anyone who hasn't yet upgraded to Windows XP won't be protected from future exploits. The average cost to upgrade to Windows XP is about $99; you do the math.
Firefox is a start but not the whole solution
If you've taken my past advice, you've already bailed on Internet Explorer and installed Mozilla Firefox as your default Internet browser. For the most part, you can avoid the JPEG flaw, right? Wrong. Because Microsoft bundles IE deep within Windows, you can't avoid IE by not using it. For example, say you get an HTML e-mail message from someone that includes a JPEG image. If you're using Outlook 2002 or earlier, it calls on IE to render that image. The same is true for Microsoft Word and other Office apps that offer a Web view. Outlook 2003 at least gives you the option of viewing an image or not, but should you choose to view it, Outlook 2003 will still call IE. You can remove Internet Explorer from Windows, but it would take a column twice as long as this to cover all the Registry settings and such you'd need to tweak to do so.
Have you switched to Firefox yet? Why or why not? Talk back to me.
|
|
 |
|
Buzz Report
Molly Wood
Taking a bite out of hype. |
 |
Security Watch
Robert Vamosi
Don't get burned by viruses and hackers. |
 |
Fully Equipped
David Carnoy
The electronics you lust for. |
 |
On Call
Kent German
Solutions for your wireless woes. |
 |
Driving It
Wayne Cunningham
What's hot and what's not in car tech. |
|
TalkBack
223 messages
Article discussion:
Security Watch: Why you should switch to Firefox now
Latest post:
"Firefox renders embed tags"
Another thing in defense of firefox. On http://www.myspace.com if someone posts a comment with a flash file on it then it might end up redirecting the whole entire page to that on... (Read
more).
Everyone is so eager to classify one browser or the other as "the best". Listen,... (Read
more)
"I've seen and personally coded XHTML 1.0 compliant webpages that are not correc... (Read
more)
by easethan (See profile) - September 4, 2005 10:50 PM PDT
Be brave because it's a brave new world with Firefox. There IS no program out th... (Read
more)
Now the choices are Opera or Firefox... (Read
more)
by yo ed (See profile) - July 21, 2005 4:24 PM PDT
Firefox has customizable themes, popup blocker, Tabbed browsing, download manage... (Read
more)
What about Blinkx.com ;-/ thanks for dialoguing! kenn 1RmSchlHSe ... (Read
more)
I cert.ly can! Altho I think the more apt question would be: Can ANYONE ima... (Read
more)
What's better? A 1993 Cadilac Coup De Ville that you got from grandma for free ... (Read
more)
by (See profile) - January 11, 2005 6:45 AM PST
You should'nt blaim a developer for being lazy... Mostly there's a projec... (Read
more)
by Easy (See profile) - January 10, 2005 3:55 PM PST
|
1 Day TV Sale at dell.com!
