General discussion

Locked

Update: Windows users beware of malicious images

By Michael Kassner Contributor ·
Microsoft today warned Windows users about the ability of attackers to install malware simply by getting users to view a malicious image in a Web browser or document.

http://www.microsoft.com/technet/security/advisory/2490606.mspx

No mention of a fix in time for next week's update session.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

If its in the graphics rendering engine, wouldn't all browsers be attacked?

by Slayer_ In reply to Update: Windows users bew ...

Can you explain why this is only IE?

Collapse -

Correct

by Jellimonsta In reply to If its in the graphics re ...

It would be an image viewed in any browser or application, that was rendered by the MS Graphics Rendering Engine.

Collapse -

So which browsers does that include? (NT)

by Slayer_ In reply to Correct
Collapse -

And I assume that turning that one off

by AnsuGisalas In reply to Correct

is tricky? And/or detrimental to usability?

Collapse -

Well...

by Jellimonsta In reply to And I assume that turning ...

I believe this issue has been around since 2006, and I think it is predominantly the same issue. Back then it was exclusive to WMF images though.

The workaround for the new bulletin is not to different to the ones they released in 05/06. It basically changes the ACL for the Windows Picture and Fax viewer DLL. This will most likely make any EMF or WMF files appear as the old 'Red X', but bmp, jpg and gif should not be affected, I don't think.

edit: spelling

Collapse -

Thanks for the heads up

by AnsuGisalas In reply to Update: Windows users bew ...

this one is bad... images are frigging everywhere and many of them can be put up by anyone... like TR profile images perhaps?
If this is being combined with a low-key trojan... things could get out of hand.

Collapse -

Don't learn fast at Redmond do they?

by Tony Hopkinson In reply to Update: Windows users bew ...

Yet another instance of the same fault exploiting the inherrent design flaw that is lack of privilege separation.

Like others I would have said this is a windows vulnerability, not an IE one. It is the most likely vector I'll admit, that's not new either though is it....

Collapse -

Want to see how slow?

by Jellimonsta In reply to Don't learn fast at Redmo ...

This sort of issue has been around for a long time.

http://www.microsoft.com/technet/security/advisory/2490606.mspx

http://www.microsoft.com/technet/security/bulletin/MS07-046.mspx

http://www.microsoft.com/technet/security/bulletin/MS06-001.mspx

http://www.microsoft.com/technet/security/advisory/912840.mspx

Collapse -

Sorry: I mind-melded

Two different Microsoft vulnerabilities. This one and the one pertaining to IE:

http://www.computerworld.com/s/article/9202218/Microsoft_confirms_critical_IE_bug_works_on_fix

Back to Security Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums