The Microsoft JPEG Vulnerability and the Six New Content Security Requirements

Transcription

1 The Microsoft JPEG Vulnerability and the Six New Content Security Requirements

2 Table of Contents OVERVIEW THE VULNERABILITY DESCRIPTION NEEDED: A NEW PARADIGM IN CONTENT SECURITY PRACTICAL EXPLOIT SCENARIOS...5 SCENARIO 1: ATTACHMENT...5 SCENARIO 2: IMAGE ON A WEB PAGE...5 SCENARIO 3: WITH A LINKED IMAGE THE THEORETICAL MEGA VIRUS SITE OWNERS PROBLEMS THE SHORTCOMINGS OF EXISTING SOLUTIONS A NEW APPROACH TO BLENDED SMTP-HTTP ATTACKS THE SIX NEW CONTENT SECURITY REQUIREMENTS...10 CONTACT INFORMATION Aladdin Knowledge Systems. All rights reserved 2-11

3 Overview In November 2004, a critical Microsoft security vulnerability (MS04-028) was discovered which could allow attackers to embed malicious code inside JPEG image files, the most ubiquitous image files used. Until that time, JPEG image files were considered immune to attack. The fact that JPEG files can contain malicious code creates a much more serious vulnerability than initially realized. Conventional desktop and anti-virus solutions have created a false sense of security, particularly with the fact that Microsoft has released a patch for only Windows XP, Windows 2003 Server and MS Office. There is no patch available or planned for Windows 9x, Windows NT, and Windows 2000 platforms, although they are still in use. To effectively deal with this vulnerability, security and IT professionals will need to incorporate six new and critical content security requirements (described in Section Number 8) into their networks. First, however, we need to look at the nature of this new threat. 1. The Vulnerability description The JPEG GDI+ files processing vulnerability affects most Microsoft platforms and applications (see Microsoft security bulletin MS at It allows an attacker to execute malicious code when a vulnerable application is used for viewing an infected JPEG image. The list of vulnerable applications is very long and includes numerous popular Microsoft applications as well as many applications developed using Microsoft GDI+ libraries. The malicious code itself could be used to elevate rights, allow remote access, initiate worms, steal information and download and execute other malicious code from the Internet. Several hacker toolkits exploiting this vulnerability are readily available. These toolkits can be used to create custom-infected JPEG images containing the hackers' choice of malicious code. At the time of writing, infected images have already spread via chat and newsgroups: In a recently discovered attack, the JPEG itself contained a small footprint code which -- once executed -- connected by FTP to the hacker s servers, downloaded other hacking tools totaling nearly 2MB, and installed a backdoor Trojan as a service. It also installed RadMin, a commercial remote administration application which allows a complete take-over of "owned" machines -- as hackers like to call them. "Once this JPEG overflowed GDI+, it phoned home, connected to an FTP site and downloaded almost 2MB of stuff. It installs a Trojan that installs itself as a service. The Trojan also installs Radmin, a package that allows users to remotely administer a machine across the Internet, running under the name of r_server." Several factors contribute to make this vulnerability especially dangerous: 1. JPEG is probably the most common image file format and can be found in web pages, attachments, FTP sites, zip files and more. 2. Most Microsoft applications are vulnerable Aladdin Knowledge Systems. All rights reserved 3-11

4 3. A new blended-threat attack vector, mixing HTTP and SMTP protocols, can easily penetrate conventional anti-virus solutions. 4. Microsoft has released a patch only for Windows XP, Windows 2003 Server and MS Office. There is no patch available or planned for Windows 9x, Windows NT, Windows 2000 platforms although they are still in use. 2. Needed: A New Paradigm in Content Security Up until now, all graphic files, including JPEG, were considered safe and were not inspected. This now incorrect assumption is exacerbated by the fact that many organizations only have two levels of anti-virus defense -- desktop anti-virus and antivirus. Both of these defenses are completely inadequate to protect against this vulnerability and can allow hackers to easily implant viruses through exploited JPEG files. Desktop anti-virus limitation Desktop anti-virus can only see and inspect files written or downloaded to the hard drive. However, JPEG files are rendered by the browser in memory and as soon as the first chunk of data arrives from the web server, the browser will start processing it; this increases the possible buffer overflow and execution of the embedded virus. anti-virus limitation In case of anti-virus, the infected image will in most cases reside on a web server with the having just a link to it (see scenario 3 below). Conventional anti-virus products, which reside on an Exchange server or on an SMTP relay, will see nothing suspicious or malicious in the -- just a regular link -- and will allow it in. Outlook or Outlook Express clients will then download the requested image from the web server via the HTTP protocol. As the user is viewing the the exploit initiates. Circumventing file inspection Most anti-virus products can now be configured to inspect JPEG images. The problem, however, is that they rely on the file extension to identify a file as a JPEG. There are many JPEG extensions, such as the common.jpg and JPEG extensions, as well as lesser known ones such as SJP and HSI. File extensions could also be changed by hackers to BMP, GIF or others. But probably the most problematic extension issue is that Internet Explorer, Outlook and other applications would process a JPEG image even if the extension is as random as ABC. Relying on patches is not enough The availability of Microsoft security patch is also not the answer. Organizations cannot fully rely on this "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things." "Internet Explorer processes JPEGs before it caches them. That could also mean that desktops may become infected before antivirus software has a chance to work." patch because they might still use Windows 2000 servers or other legacy systems that cannot be patched. The most serious risk is the lack of total control of what is connected to the network. A non-patched desktop or laptop, or a newly installed operating system that is not yet patched, could always be connected to the local area network. It just takes one vulnerable computer to contaminate the entire network or create a backdoor into the organization Aladdin Knowledge Systems. All rights reserved 4-11

5 From now on, it is not enough to rely only on a desktop and anti-virus solutions. Organizations MUST implement gateway solutions that inspect for vulnerabilities in JPEG files coming from the web via HTTP and FTP protocols, and also make sure that the solution is secured against spoofing. 3. Practical Exploit Scenarios Below are a few typical scenarios in which the JPEG vulnerability can be exploited, along with descriptions of the associated problems. Scenario 1: Attachment Method: An attacker sends an with an attached JPEG file containing malicious code. The code is executed the moment the image is viewed or previewed in Outlook / Outlook Express, or opened in a vulnerable associated application. Solution: Inspect all attachments. Most anti-virus solutions were updated to inspect JPEG attachments. Problems: Some anti-virus products do not know how to handle file spoofing and rely on file extension and MIME type for identification as images. Scenario 2: Image on a Web Page Method: An attacker places an infected image on a web server, possibly as part of web page content. An image on an FTP server could be linked in a web page or accessed directly. The code is executed the moment the image is viewed in an infected application such as Internet Explorer Aladdin Knowledge Systems. All rights reserved 5-11

6 Solution: Inspect all JPEG files in web pages (HTTP and FTP traffic.) Problems: Most gateway solutions do not inspect JPEG files in HTTP and FTP. Mainstream solutions that do inspect HTTP/FTP traffic are proxy-based and must cache the images before inspection. Some proxy solutions also have to copy the file from the caching proxy to the content security server, resulting in serious performance impact. In addition, proxy servers will now be forced to inspect 80% more files that were not inspected in the past. This fact alone could mean over 5 times slower HTTP inspection. Scenario 3: with a linked image Method: An attacker or spammer sends an containing an HTML image link to a JPEG containing malicious code. The JPEG itself resides on a web server and is automatically downloaded via HTTP when the is viewed or previewed. The code is executed the moment the image is viewed or previewed in Outlook / Outlook Express. As seen in the example above, the HTML content will be inspected by anti-virus products, but the image will be transparently downloaded via HTTP and will not be inspected by the anti-virus solution. To the right of the image we can see the HTML coded image link to a web server Aladdin Knowledge Systems. All rights reserved 6-11

7 Solution: Inspect all and all HTTP traffic for JPEG exploits. Problems: Conventional solutions either only inspect JPEG files in SMTP or suffer from the HTTP limitations discussed in Scenario The Theoretical Mega Virus Taking the scenarios above and expanding on them, it is clear that some highly threatening new mega viruses based on the JPEG exploit could emerge in the near future. Imagine a JPEG worm that, upon infection of a vulnerable PC, connects to a specific destination on the Internet, downloads more malicious code, hacker tools and back doors, and then creates a local mini web server. Below is a theoretical evolution of such a JPEG mega-worm: 1. Attack starts with the arrival of infected content. This might be via , instant message or other means. 2. As the image is viewed, the exploit executes and contacts another computer of the hacker or an infected system. 3. Malicious payload is downloaded directly from the remote computer. This can include a variety of hacking tools, backdoors, remote control Trojans, spamspreading tools, etc. 4. The now infected computer starts spreading via multiple methods: - with image links - links to infected web sites - instant messenger links - instant messengers image file transfers - P2P image collections - chat room file transfer and links 5. With most of the infection methods, the image itself will be downloaded via HTTP from the original computer which now acts as a web server hosting the image files Aladdin Knowledge Systems. All rights reserved 7-11

8 5. Site Owners Problems Site owners, especially community sites as well as hosting farms, could face a serious situation where their sites are the source of malicious code. Beyond the obvious problems raised by such a scenario is the increased risk of legal liability. Some potential examples include: Newsgroup sites: many newsgroups are allowing web access to image files. Because of the relative anonymity, newsgroups are one of the first "test sites" for such attacks -- as we have already seen in the JPEG vulnerability. Forum sites: many of these sites allow users to upload images or even worse, use images as signatures in all their postings -- greatly increasing the exposure potential. Community sites: MSN and Yahoo communities, among others, allow the creation of photo albums. ecommerce sites: many ecommerce sites such as ebay, and many community portals, allow sellers to upload images of the goods they sell. Creating infected "too good to be true" ads will guarantee many viewers. Photo sites: Many photo-serving sites exist which allow users to upload images. The images can be linked in other sites or sent by . Googling: Google and other web image search services could provide easy access to infected images. 6. The Shortcomings of Existing Solutions As mentioned before, desktop solutions inspect only files written to disk -- but not code that runs in memory, as can happen with the JPEG exploit. Mail server anti-virus solutions are limited by the fact that they do not inspect images that are downloaded or linked in HTTP. While most gateway-level security solutions inspect JPEG attachments, most do not inspect JPEG files in HTTP and FTP (see exploit scenarios 2 and 3 in Section 3). Conventional solutions that do inspect HTTP/FTP traffic are proxy-based, and cache the images before inspection. Some proxy solutions also require that the file be moved from the caching proxy to the content security server, significantly impacting performance. The problem with caching and proxybased solutions is that they have to download the entire file before it is sent to the client, because existing anti-virus solutions are unable to inspect files packet by packet. It is also not permissible to release small parts of the file before inspection is completed -- as is done today by some solutions in order to overcome Chart 1: Proxy-based AV scanner workflow 2004 Aladdin Knowledge Systems. All rights reserved 8-11

9 the time-out problem -- because the browser starts processing JPEG files even if partially downloaded and this can trigger the vulnerability. To overcome the spoofing problem of sending infected JPEG files with different extension or content type, proxy solutions now must send 100% of the passing files to the external antivirus product and can no longer rely on filtering the content beforehand (e.g., send only ZIP and EXE files). Some proxy solutions claim very fast performance, but this is only true in the case of files that were already cached. In reality, a proxy cache approach delivers only about 30% to 40% of browsing content, with the rest being new files which will have to be inspected prior to being cached. 7. A New Approach to Blended SMTP-HTTP attacks The only practical gateway content security technology on the market today that can deal with JPEG exploits is Aladdin s patented NitroInspection technology. esafe Gateway with NitroInspection is able to correctly identify (prevent file spoofing) and inspect JPEG files with a minimal impact on browsing performance. The JPEG files are identified using a binary identifier in the file header (a magic string) regardless of the file extension or the content type sent by the web server, thus preventing a common spoofing technique used by hackers. Once the JPEG file is identified, its session is handled by the NitroInspection real-time inspection engine, which inspects data in each packet as they arrive and does not wait until the entire file is downloaded before inspection. This leads to a lower latency and no visible impact on the users' browsing experience. Chart 2: esafe with NitroInspection technology All "good" JPEG files will continue to gradually build-up on screen as they are being downloaded, and "bad" files will instantly be blocked before they have a chance to arrive at the browser. esafe solution Benefits: JPEG inspection is performed while files are in transit -- no time-consuming file caching like all other solutions which are proxy-based. JPEG inspection is completely transparent and has minimal impact on web content security performance Aladdin Knowledge Systems. All rights reserved 9-11

10 JPEG exploits are now blocked in HTTP and FTP traffic as well as SMTP. This is extremely important as can be seen in exploit scenario 2 in Section 3, above. JPEG inspection is integrated into esafe's NitroInspection engine. JPEGs are positively identified by binary signature in the file header to prevent spoofing. 8. The Six New Content Security Requirements IT professionals today are charged with the security of their organization s data, compliance with all applicable privacy and confidentiality regulations, and the effective performance of mission-critical applications in support of business requirements. The JPEG vulnerability presents a serious threat to all of these, and dictates a new way of implementing content security: 1. Don t rely on SMTP or internal mail server content inspection. A complete solution must be a gateway solution and must inspect HTTP and FTP in addition to SMTP. 2. Identification of JPEG files should not rely on extensions, or content type, to prevent spoofing. 3. JPEG files should be inspected packet-by-packet in real time to eliminate latency. Users should not have to wait until the entire file is downloaded and inspected by the proxy. 4. All parts of the JPEG file must be fully inspected before being released to the client. Solutions cannot rely on partially releasing non-inspected content. 5. The gateway solution must not pose any delays and timeouts or create any visible impact on users' browsing experience -- either when cached JPEG files are delivered or when new images are downloaded. 6. For hosted web sites that allow file uploads, inspect all uploaded JPEG files Aladdin Knowledge Systems. All rights reserved 10-11

11 Contact Information For more info: ealaddin.com/esafe International North America UK Germany Benelux France Israel Japan Spain T: , T: , T: , T: , T: , T: , T: , T: , T: , About Aladdin Knowledge Systems Aladdin (NASDAQ: ALDN) is a leader in digital security, providing solutions for software digital rights management and Internet security since 1985, serving more than 30,000 customers worldwide. Aladdin products include: the USBbased etoken device for strong user authentication and e-commerce security; the esafe line of integrated content security solutions that protect networks against malicious, inappropriate and nonproductive Internet-borne content; and the HASP family of hardware- and software-based products that flexibly protect, license and distribute software and intellectual property. Visit the Aladdin Web site at For free trial software, success stories and additional white-papers, visit esafe.com. If you would like to obtain pricing or suggestions on esafe for your organization s architecture, please contact one of the Aladdin offices listed above Aladdin Knowledge Systems. All rights reserved 11-11