It is mentioned that the JPEG virus should be spoken from the memory address.
September 14, 2004, Microsoft released the safety announcement MS04-028, which is a vulnerability of "JPEG processing (GDI ) buffer overflow may allow execution of code", which is near "JPEG virus". of. The following is some reports of the official website of Rising:
It is mentioned that the JPEG virus should be spoken from the memory address.
September 14, 2004, Microsoft released the safety announcement MS04-028, which is a vulnerability of "JPEG processing (GDI ) buffer overflow may allow execution of code", which is near "JPEG virus". of. The following is some reports of the official website of Rising:
Rising company released a red (first-level) security alert. The alarm shows that the Microsoft Windows system has a major vulnerability, and the Rising Internet Auto Lab has been monitored on the Internet. The attack code for the vulnerability can be considered that a high-risk new virus - picture virus is very likely to appear in the near future.
Experts say that all Windows users may be attacked by this new virus, such viruses can be used to attack the user's computer system in any way, including formatting hard drives, deleting files, and more. All messages with JPG images are likely to be the propagation channel of such new viruses. Such viruses may be seized in the following form: 1. Group mail, attached to the JPG picture file with the virus; 2. Adopt malicious webpage form, browse the JPG files in the web page can be infected by the viral infection; 3 The propagation is transmitted via an instant communication software such as MS N, QQ, etc.) or sends a picture file.
So, how is this "JPEG virus" episodes? How big is the harmfulness? Xiaobian is here for your rough explanation, and you are welcome to discuss.
To explain the principle of this virus, you must first spoken from memory. In the memory management of Windows, including application space and core space, as shown below:
When opening the JPEG file, you need to load the relevant parts in the file to the red area in the application space for processing. This is a great thing, but Microsoft's operating system and many applications have a feature - the location of JPEG's operating modules in memory is very fixed, now this feature may have to make Gates again. Be defeated by the name ...
Not only the address of the JPEG operation module is fixed, the starting address of the Windows core memory space is also very fixed, and what is the serious consequences? Here, you need to take another concept - overflow.
Overflow vulnerability this time, "veterans new"
Just mentioned that the memory's application space has a module for JPEG operations. When we open the * .jpg file, the system will load related data in the file into this module, and if someone deliberately puts these related data What will I do?
If the software is relatively complete, this area has protection measures, which is not allowed to "overflow" from the module, otherwise these overflows will always extend to other parts of the memory, which may cause blue screen and other symptoms .
However, Microsoft has no protection measures here! So that the attacker can make data from any length, the code is covered from the JPEG operation module to the core space, and the core space has a feature: allowing the code to perform high privileges. In this way, an attacker can do full control of the target host, delete files, and hard drives ...
But using a simple overflow vulnerability, it is not so easy to do this, because the attacker doesn't know how long it is for a lot of exception code. If you do malicious code before entering the core space, there is no sufficient permission. And we mentioned that Microsoft's operating system and the relevant address of many applications are very fixed, so the attacker can easily calculate the required code length, and "rigid seam" is performed at the core space. Required patch is not only an operating system.
In fact, the overflow vulnerability is no longer a new thing. The key is that this issue is very regularly in memory address, which is serious. I don't know if you understand that the "shock wave" virus of the front stage of the front stage is also used in a similar vulnerability combination.
The virus writer of the shock wave is a code written according to the memory characteristics of the Win2000 operating system. Therefore, the shock wave will perfectly attack in Win2000, causing IE to open a new window, clipboard failure, etc. Symptoms. Since the memory distribution under WinXP is different from Win2000, the impact wave will be unsuccessful in WinXP, which is unsuccessful in the WinXP. By default, the system will restart without other damage.
