[unisog] MS04-028 and blocking JPGs

Michael Holstein michael.holstein at csuohio.edu
Tue Nov 16 18:05:11 GMT 2004

> I also however, think it is poor service for us to continue to block JPGs as they are widely used - or at least were.

Agreed ... epically since someone could send an email using <IMG SRC=> 
and link to said "malicious jpeg" .. and Microsoft's (as well as many 
others) will dutifully display it in the "preview pane".

email is only one of the attack vectors for this problem ... a simple 
email with "click here for free porn" linking to the same "malicious 
jpeg" would work amazingly well (people are sheep, you know...)

> How are the rest of you handling this problem?  Are you confident AV software can catch it at the border?  Are you using some other combination of resources to capture and remove the offenders?

We use McAfee, but only for email -- I think it probably does catch it 
-- and whatever it misses, I have snort rules that alert on JPG images 
with comment-field lengths of '0' or '1' (both illegal values, and the 
source of the 028 vuln). They're 'noisy' though ...

That is, of course, more like a canary in the mine than a pitbull at the 
gate, but....


Michael Holstein CISSP GCIA
Cleveland State University

More information about the unisog mailing list