[Webpro] JPEG Vulnerability

[Richard Harb]

Tuesday, September 28, 2004, 9:25:04 AM, you wrote:

> http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
>
> Office XP, Visio 2002, Project 2002, Office 2003, Visio 2003 and
> Project 2003 are affected. If you're running Win 2000 and didn't
> install a recent Office package, your system might not be affected.

Well, for once sticking to legacy software paid off for me 8)

> Microsoft says that 'In a Web-based attack scenario, an attacker
> would have to host a Web site that contains a Web page that is
> used to exploit this vulnerability. An attacker would have no way
> to force users to visit a malicious Web site. Instead, an attacker
> would have to persuade them to visit the Web site, typically by
> getting them to click a link that takes them to the attacker's
> site.'

My response to that: Get in touch with reality (not you personally, Mike, but Microsoft). Check zone-h for once and it should be obvious that it might not be _that_ difficult to stumble over a site that contains hazardous material.

My imagination came up with sort of a worst case scenario:
Imagine some of the 'contributors' there chose to only slightly alter a targeted website in such a manner that they'd only add/change an image or two. Or modify the sites css to include an unostrusive background image, or some other means of making sure that every visitor get a nice suprise.
And on top of that carefully select time and date and target website so the modification can reach a sizable audience.

I'm fairly certain a lot of site owners would not even notice if the primary content was not or only marginally defaced.

That leaves intrusion detection systems and reading logs etc to realize something bad has happened. I have a gut feeling that only a minority of systems are properly cared for in that every detail.

Richard

--
REALITY.SYS corrupted. Reboot universe? [Y/n]