[unisog] MS04-028 and blocking JPGs
michael.holstein at csuohio.edu
Tue Nov 16 18:05:11 GMT 2004
> I also however, think it is poor service for us to continue to block JPGs as they are widely used - or at least were.
Agreed ... epically since someone could send an email using <IMG SRC=>
and link to said "malicious jpeg" .. and Microsoft's (as well as many
others) will dutifully display it in the "preview pane".
email is only one of the attack vectors for this problem ... a simple
email with "click here for free porn" linking to the same "malicious
jpeg" would work amazingly well (people are sheep, you know...)
> How are the rest of you handling this problem? Are you confident AV software can catch it at the border? Are you using some other combination of resources to capture and remove the offenders?
We use McAfee, but only for email -- I think it probably does catch it
-- and whatever it misses, I have snort rules that alert on JPG images
with comment-field lengths of '0' or '1' (both illegal values, and the
source of the 028 vuln). They're 'noisy' though ...
That is, of course, more like a canary in the mine than a pitbull at the
Michael Holstein CISSP GCIA
Cleveland State University
More information about the unisog