News

When shared code bites back

• By Mike Gunderloy
• September 14, 2004

Most of the time, developers can safely leave the careful reading of Microsoft security bulletins to the system administrators. Oh, sure, those of us running our own networks need to dutifully patch Windows and Exchange and so on as the new threats come out. But the code we're writing to ship to our own customers isn't affected by Microsoft's security slips, right? Well, don't be so sure about that.

I call your attention to Microsoft Security Bulletin MS04-028, "Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)". The basic thread here is that JPEG processing in Microsoft's latest and greated Windows graphics library, GDI+ (which ships as part of Windows XP and Windows 2003, and underlies the graphics functions in .NET) is screwed up. According to Microsoft,

A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. Any program that processes JPEG images on the affected systems could be vulnerable to this attack, and any system that uses the affected programs or components could be vulnerable to this attack. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Well, that's just the start. Microsoft has used GDI+ all over the place in the last few years. I just looked at a couple of my own test systems; one has 8 copies of the DLL in question scattered around, the other has 14. And there are a whole boatload of patches in the security bulletin: updates for Windows, for Office, for Visual Studio .NET, for the .NET Framework, and even for obscure stuff like Microsoft Greetings 2002. Just to make your sysadmin's life complete, the security bulletin cautions, "If you have installed any of the affected programs or affected components listed in this bulletin, you should install the required security update for each of the affected programs or affected components. This may require the installation of multiple security updates." Of course, only a few of the updates show up on Windows Update; you get to download the rest yourself. I'm going to end up spending hours here dealing with this mess - it would have been nice of Microsoft could have taken the time to write some sort of universal GDI+ search-and-replace utility.

But that's not why I'm bringing this particular mess to your attention. What worries me the most is the inclusion of the .NET Framework 1.0 (before SP3), the .NET Framework 1.1 (before SP1), and the Platform SDK GDI+ Redistributable on the list of affected software. What this says to me is that there's a very real chance that your own applications may be affected by this very same bug. If you used Visual Studio .NET to build an application that displays JPEG files anywhere (say, with a custom logo file that the customer can set) and you shipped before the latest SP for the Framework came out - WHAM! you're affected. You don't just need to install the service pack yourself. You need to get your customers to install it as well.

Microsoft rates this risk as "critical", and I have to agree. Though they're tight-fisted with the details, as usual, it's clear that just viewing a carefully malicious JPEG is enough to trigger the overflow. Yes, Virginia, that does mean that images can now hold a virus, no matter what you've been telling your friends and relatives for years. I expect quite a few application vendors are going to be spending time in the near future devising ways to notify their customers that it's time to install a security patch, even though Windows Update won't necessarily inform them that this is the case. If you're one of them, you have my sympathies.