[unisog] MS04-028 and blocking JPGs

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Tue Nov 16 18:54:06 GMT 2004


Probably showing my collective lack of knowledge here, but I thought
that when the JPG vulnerability came out the AV vendors were able to
write a generic signature based upon the buffer overflow required to
exploit this.  As I understand it, the exploit code itself has to have a
specific piece of data to call the payload, and the exploit code is

We are allowing JPGs through based on this rash assumption.


-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Heinrich, Matt
Sent: Tuesday, November 16, 2004 11:44 AM
To: unisog at lists.sans.org
Subject: [unisog] MS04-028 and blocking JPGs

Hello all.  I'm generally just a lurker, but I'm looking for some
additional advice regarding JPGs and the GDI vulnerability.  I remain
unconvinced that McAfee (our AV software) will uncover all of the
malformed JPGs so we continue to block all JPG attachments.  This
continues to be met with the expected reaction from our user community.
I do not have the resources to make it to every machine and patch for
every occurrence of a bad .DLL nor do I have a strong belief that MS
patches would get applied correctly anyway.  I ran the Office updates on
my box and still had problems getting all of the DLLs, let alone the non
MS software that uses GDI.

I also however, think it is poor service for us to continue to block
JPGs as they are widely used - or at least were.

How are the rest of you handling this problem?  Are you confident AV
software can catch it at the border?  Are you using some other
combination of resources to capture and remove the offenders?

Any advice or help appreciated,

Matt Heinrich
Director of Computer Services
Rockhurst University

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list