Author Topic: iPhone 4 headsup  (Read 4260 times)

Offline 2bighorn

  • Gold Member
  • *****
  • Posts: 2829
Re: iPhone 4 headsup
« Reply #45 on: December 25, 2012, 11:51:03 AM »
Well granted if you still run XP even a .jpg can contain a payload since MS never fixed it for XP.

So what if jpg contains a payload? Unless you're infected with extractor it won't do any harm. Therefore it makes no sense to write malicious code using jpegs for payload because machine would have to be already infected with extractor. Why not putting payload right there to begin with? That's the reason there was nothing like that in the wild, and probably never will be.

Offline MrRiplEy[H]

  • Persona Non Grata
  • Plutonium Member
  • *******
  • Posts: 11633
Re: iPhone 4 headsup
« Reply #46 on: December 25, 2012, 02:02:43 PM »
So what if jpg contains a payload? Unless you're infected with extractor it won't do any harm. Therefore it makes no sense to write malicious code using jpegs for payload because machine would have to be already infected with extractor. Why not putting payload right there to begin with? That's the reason there was nothing like that in the wild, and probably never will be.

Perhaps you should read this: Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

They never conclusively patched the OS side vulnerability for XP afaik. It's still open despite the multiple patches and was fixed only for Vista and later.
« Last Edit: December 25, 2012, 02:19:54 PM by MrRiplEy[H] »
Definiteness of purpose is the starting point of all achievement. –W. Clement Stone

Offline MrRiplEy[H]

  • Persona Non Grata
  • Plutonium Member
  • *******
  • Posts: 11633
Re: iPhone 4 headsup
« Reply #47 on: December 25, 2012, 02:08:37 PM »
I remember the Blaster worm which sent random material from the infected machine to everyone in its Address Book, even faking the sender. I got the "Last minute Windows98 improvements" text file as an attachment seemingly from a guy I knew. If my antivirus hadn't recognized and deleted the virus, I might have answered to the apparent sender and ask if he had something to ask about it, only having forgot to write the question. Can you tell for sure that such worms can't be coded anymore?

Dude, the worm has to run on the computer to send anything. A mac can have 10 of those worms and it won't effect it in any way if they're coded for windows. Therefore they can only spread if the mac user for some reason attaches intentionally the infected file to some e-mail.
Definiteness of purpose is the starting point of all achievement. –W. Clement Stone

Offline Bizman

  • Plutonium Member
  • *******
  • Posts: 9606
Re: iPhone 4 headsup
« Reply #48 on: December 25, 2012, 02:33:59 PM »
Dude, the worm has to run on the computer to send anything. A mac can have 10 of those worms and it won't effect it in any way if they're coded for windows. Therefore they can only spread if the mac user for some reason attaches intentionally the infected file to some e-mail.
I know it can't spread by itself in a Mac. But what if I would have had a Mac when I got that infected mail? I wouldn't have noticed it were infected, would I? In that case I might have forwarded it to the person whose name was given as the original sender, asking why he had sent it to me in the first place, thus infecting him. So sending the mail with the attachment would have been intentional but spreading the virus wouldn't. You're still with me?
Quote from: BaldEagl, applies to myself, too
I've got an older system by today's standards that still runs the game well by my standards.

Kotisivuni

Offline 2bighorn

  • Gold Member
  • *****
  • Posts: 2829
Re: iPhone 4 headsup
« Reply #49 on: December 25, 2012, 04:14:07 PM »
Perhaps you should read this: Vulnerability in GDI+ Could Allow Remote Code Execution (2489979)

They never conclusively patched the OS side vulnerability for XP afaik. It's still open despite the multiple patches and was fixed only for Vista and later.

That applies to WMF/EMF images, has nothing to do with JPEGS.

Offline 2bighorn

  • Gold Member
  • *****
  • Posts: 2829
Re: iPhone 4 headsup
« Reply #50 on: December 25, 2012, 05:28:24 PM »
They never conclusively patched the OS side vulnerability for XP afaik. It's still open despite the multiple patches and was fixed only for Vista and later.

Blah, it is very conclusive...
XP SP1 extended support ended on October 10, 2006 (not patched)
XP SP2 extended support ended on July 13, 2010 (not patched)
      
XP SP3 was patched and the patch works.

http://support.microsoft.com/kb/2412687
http://support.microsoft.com/kb/2659262

Merry X-mas

Offline MrRiplEy[H]

  • Persona Non Grata
  • Plutonium Member
  • *******
  • Posts: 11633
Re: iPhone 4 headsup
« Reply #51 on: December 26, 2012, 02:40:52 AM »
That applies to WMF/EMF images, has nothing to do with JPEGS.

JPEGS have a similar vulnerability its just in an other security bulletin http://technet.microsoft.com/en-us/security/bulletin/ms04-028
Definiteness of purpose is the starting point of all achievement. –W. Clement Stone

Offline MrRiplEy[H]

  • Persona Non Grata
  • Plutonium Member
  • *******
  • Posts: 11633
Re: iPhone 4 headsup
« Reply #52 on: December 26, 2012, 02:56:17 AM »
I know it can't spread by itself in a Mac. But what if I would have had a Mac when I got that infected mail? I wouldn't have noticed it were infected, would I? In that case I might have forwarded it to the person whose name was given as the original sender, asking why he had sent it to me in the first place, thus infecting him. So sending the mail with the attachment would have been intentional but spreading the virus wouldn't. You're still with me?

No I can't see it. First of all you would see immediately on a mac that the file attachment is fake because it doesn't hide the file extensions by default like Windows does. Also if the attachment uses some Outlook vulnerability you wouldn't even realize anything happened, the payload would just execute the second you previewed the e-mail and your machine would be infected. Second everyone (especially you) should know never to forward any files that come by e-mail unless they're 100% garanteed to be business related and you know they're coming from the person in question.

I also repeat that it's a very bad idea to use on machine e-mails for anything but business related affairs in this day and age. All mailing lists, registrations to websites and correspondence with women (especially our mothers) should be done by a web based spam e-mail account. Women are typically sending all these 'cute' chain e-mails which are riddled with viruses or link to spammers. I'm horrified to see that e-mails containing viruses have been spammed to government offices for example - they're stupid enough to use their work e-mails for this kind of crap.

BTW I solved my parents problems with infections by installing linux to all their computers. First they complained a little but now they're using linux happily for the 2nd year already.
« Last Edit: December 26, 2012, 03:02:16 AM by MrRiplEy[H] »
Definiteness of purpose is the starting point of all achievement. –W. Clement Stone

Offline Bizman

  • Plutonium Member
  • *******
  • Posts: 9606
Re: iPhone 4 headsup
« Reply #53 on: December 26, 2012, 03:50:42 AM »
IIRC the attachments in my example didn't have fake extensions, because I could easily open them in the respective programs - after the antivirus had deleted the malware, of course. Back then, about ten years ago, it was quite easy... One was .txt, the other was .jpg. The .txt file was, as I told, the last minute additions to Win98 file, the .jpg seemingly was a temporary Internet file. The former mail looked just puzzling, the title and message were in Finnish but had no logic with each other or the attachment. Like if someone erroneously sent you a reply to a question someone else has stated. The other mail I got from the same infection was more clearly generated by a virus: Why would a Finnish guy send me an e-mail written in English, the message being: "Look at my beautiful girlfriend" and the attached .jpg showing two models wearing rainclothes.

Both of the mails claimed to come from people who are in my address book and whom I personally know. Because they aren't my business partners, should their mails be treated as potential threats if I read them on machine? What about the fact that I get most spam to the e-mail address of my firm, provided by my ISP? I wouldn't call "business related affairs" those ads whose source for addresses is the public registry of companies...

Quote from: BaldEagl, applies to myself, too
I've got an older system by today's standards that still runs the game well by my standards.

Kotisivuni

Offline MrRiplEy[H]

  • Persona Non Grata
  • Plutonium Member
  • *******
  • Posts: 11633
Re: iPhone 4 headsup
« Reply #54 on: December 26, 2012, 04:09:19 AM »
IIRC the attachments in my example didn't have fake extensions, because I could easily open them in the respective programs - after the antivirus had deleted the malware, of course. Back then, about ten years ago, it was quite easy... One was .txt, the other was .jpg. The .txt file was, as I told, the last minute additions to Win98 file, the .jpg seemingly was a temporary Internet file. The former mail looked just puzzling, the title and message were in Finnish but had no logic with each other or the attachment. Like if someone erroneously sent you a reply to a question someone else has stated. The other mail I got from the same infection was more clearly generated by a virus: Why would a Finnish guy send me an e-mail written in English, the message being: "Look at my beautiful girlfriend" and the attached .jpg showing two models wearing rainclothes.

Both of the mails claimed to come from people who are in my address book and whom I personally know. Because they aren't my business partners, should their mails be treated as potential threats if I read them on machine? What about the fact that I get most spam to the e-mail address of my firm, provided by my ISP? I wouldn't call "business related affairs" those ads whose source for addresses is the public registry of companies...



Of course you should treat any e-mail that comes to your computer as a potential threat. If the e-mail contents are in a smallest way suspicious (bad grammar, foreign language) all alarm bells should be howling already. You have to remember also that those e-mails you got didn't necessarily have anything to do with your actual friends. Some infections take the information in the address book and spam e-mails in the name of everyone in the address book, picking random image files from the infected computers harddrive. The senders name can be very easily faked with e-mails you know. Back in 1999 I got an e-mail in my friends name and the attached file was some icon image file from a porn site :D Quite embarrassing.

That's the worst thing about e-mail spreading viruses - the person you appeared to get it from doesn't necessarily have an infection nor know anything about the attack. He just happened to be on someones address book when they got infected. This is yet another reason why I don't give my 'business' e-mail address to any relatives or friends. I have 3 different e-mails. One is totally anonymous and on hotmail and I use it to subscribe to online news and services (and to my mother as she has a nasty habbit of spamming me with circulating cute doggies and cats -emails). Second is a personal 'spam account' I use for friends. Third is a business e-mail which I use strictly for business.

If you get spammed to your business e-mail you probably have published your e-mail on your website without protecting it. Spam bots harvest e-mails using Google searches or by crawling. My business account gets a minute amount of spam (partly because our ISP filters spam even before it gets to the computer and partly because we've kept the address hidden). My 'spam' account then again gets hit by dozens of spam e-mails and attacks daily. Fortunately again my ISP albeit different from my business ISP does AV scans on the incoming e-mails.
« Last Edit: December 26, 2012, 04:14:56 AM by MrRiplEy[H] »
Definiteness of purpose is the starting point of all achievement. –W. Clement Stone

Offline 2bighorn

  • Gold Member
  • *****
  • Posts: 2829
Re: iPhone 4 headsup
« Reply #55 on: December 26, 2012, 11:42:18 AM »
JPEGS have a similar vulnerability its just in an other security bulletin http://technet.microsoft.com/en-us/security/bulletin/ms04-028

They don't. You can hide data in JPEGS, but you need specific tool to extract that. It's nothing like WMF with function calls to windows GDI.

Offline Bizman

  • Plutonium Member
  • *******
  • Posts: 9606
Re: iPhone 4 headsup
« Reply #56 on: December 26, 2012, 12:09:49 PM »
If the e-mail contents are in a smallest way suspicious (bad grammar, foreign language) all alarm bells should be howling already. You have to remember also that those e-mails you got didn't necessarily have anything to do with your actual friends. Some infections take the information in the address book and spam e-mails in the name of everyone in the address book, picking random image files from the infected computers harddrive. The senders name can be very easily faked with e-mails you know. Back in 1999 I got an e-mail in my friends name and the attached file was some icon image file from a porn site :D Quite embarrassing.
That's exactly what happened to me, too, except the attachments were rated child safe. Also the other message looked alright, because it was copied from the mailbox of the infected computer. Actually, it might even have been a message from me, which made the event even more puzzling.

Quote
If you get spammed to your business e-mail you probably have published your e-mail on your website without protecting it.


Apparently you didn't read my post or I didn't express myself clearly enough. My business e-mail gets spam from legitimate companies who want to sell me something. They inform clearly in the bottom line, that they've got my address from the Trade Registry by the National Board of Patents and Registration of Finland. You know, they have a free Internet service for finding information about firms whose names you know, or they can sell you a larger piece of database for a nominal price.
Quote from: BaldEagl, applies to myself, too
I've got an older system by today's standards that still runs the game well by my standards.

Kotisivuni

Offline MrRiplEy[H]

  • Persona Non Grata
  • Plutonium Member
  • *******
  • Posts: 11633
Re: iPhone 4 headsup
« Reply #57 on: December 26, 2012, 02:21:16 PM »
They don't. You can hide data in JPEGS, but you need specific tool to extract that. It's nothing like WMF with function calls to windows GDI.

OMG read the bulletin - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987).
Definiteness of purpose is the starting point of all achievement. –W. Clement Stone

Offline MrRiplEy[H]

  • Persona Non Grata
  • Plutonium Member
  • *******
  • Posts: 11633
Re: iPhone 4 headsup
« Reply #58 on: December 26, 2012, 02:25:09 PM »
Apparently you didn't read my post or I didn't express myself clearly enough. My business e-mail gets spam from legitimate companies who want to sell me something. They inform clearly in the bottom line, that they've got my address from the Trade Registry by the National Board of Patents and Registration of Finland. You know, they have a free Internet service for finding information about firms whose names you know, or they can sell you a larger piece of database for a nominal price.

Oh, then its a snafu on your part. You're supposed to leave a info@domainname.fi/com/whatever e-mail for registrations and save your personal e-mail for personal stuff. Of course if you register with your personal e-mail you're going to get bombed with all sorts of trash!
Definiteness of purpose is the starting point of all achievement. –W. Clement Stone

Offline 2bighorn

  • Gold Member
  • *****
  • Posts: 2829
Re: iPhone 4 headsup
« Reply #59 on: December 26, 2012, 03:03:30 PM »
OMG read the bulletin - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987).

How about you read it?
Here to quote it for you:  "Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution"

Not only that you quote 8 years old (and irrelevant) bulletin, you don't understand the issue either.
To specify, it was heap overflow due to how gdiplus.dll was interpreting JPEG COMs. It's not JPEG vulnerability, but GDI+. Windows since XP SP2 has built in DEP and in addition, since Vista, ASLR.