When shared code bites back
Most of the time, developers can safely leave the careful reading of
Microsoft security bulletins to the system administrators. Oh, sure, those of us
running our own networks need to dutifully patch Windows and Exchange and so on
as the new threats come out. But the code we're writing to ship to our own
customers isn't affected by Microsoft's security slips, right? Well, don't be so
sure about that.
I call your attention to Microsoft
Security Bulletin MS04-028, "Buffer Overrun in JPEG Processing (GDI+) Could
Allow Code Execution (833987)". The basic thread here is that JPEG processing in
Microsoft's latest and greated Windows graphics library, GDI+ (which ships as
part of Windows XP and Windows 2003, and underlies the graphics functions in
.NET) is screwed up. According to Microsoft,
A buffer overrun vulnerability exists in the processing of JPEG image formats
that could allow remote code execution on an affected system. Any program that
processes JPEG images on the affected systems could be vulnerable to this
attack, and any system that uses the affected programs or components could be
vulnerable to this attack. An attacker who successfully exploited this
vulnerability could take complete control of an affected system.
Well, that's just the start. Microsoft has used GDI+ all over the place in
the last few years. I just looked at a couple of my own test systems; one has 8
copies of the DLL in question scattered around, the other has 14. And there are
a whole boatload of patches in the security bulletin: updates for Windows, for
Office, for Visual Studio .NET, for the .NET Framework, and even for obscure
stuff like Microsoft Greetings 2002. Just to make your sysadmin's life complete,
the security bulletin cautions, "If you have installed any of the affected
programs or affected components listed in this bulletin, you should install the
required security update for each of the affected programs or affected
components. This may require the installation of multiple security updates." Of
course, only a few of the updates show up on Windows Update; you get to download
the rest yourself. I'm going to end up spending hours here dealing with this
mess - it would have been nice of Microsoft could have taken the time to write
some sort of universal GDI+ search-and-replace utility.
But that's not why I'm bringing this particular mess to your attention. What
worries me the most is the inclusion of the .NET Framework 1.0 (before SP3), the
.NET Framework 1.1 (before SP1), and the Platform SDK GDI+ Redistributable on
the list of affected software. What this says to me is that there's a very real
chance that your own applications may be affected by this very same bug. If you
used Visual Studio .NET to build an application that displays JPEG files
anywhere (say, with a custom logo file that the customer can set) and you
shipped before the latest SP for the Framework came out - WHAM! you're affected.
You don't just need to install the service pack yourself. You need to get your
customers to install it as well.
Microsoft rates this risk as "critical", and I have to agree. Though they're
tight-fisted with the details, as usual, it's clear that just viewing a
carefully malicious JPEG is enough to trigger the overflow. Yes, Virginia, that
does mean that images can now hold a virus, no matter what you've been
telling your friends and relatives for years. I expect quite a few application
vendors are going to be spending time in the near future devising ways to notify
their customers that it's time to install a security patch, even though Windows
Update won't necessarily inform them that this is the case. If you're one of
them, you have my sympathies.
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.