What's new

Possible Security Threat on JRef?

Pachipro

JREF Resident Alien
Rest in Peace
19 Jan 2005
1,831
230
73
FYI. While checking the link for "Who's Online" I clicked on a link that either a guest or a spider was viewing. My intrusion detection system notified me that someone was trying to get into my computer.

This is the information:

Time: 10:26AM CDT
Date: 10/27/2005
Intrusion: ICC Profile TagData Overflow
Intruder: eupedia.jref.com(67.19.168.133)(http(80))
Risk Level: HIGH!
Attacked IP: localhost
Attacked Port: 2132

When I clicked on more info about the ip address I was informed of the following:

IP address: 67.19.168.133
Network: theplanet.com
Location: Dallas, Texas, USA
Node Name: 133.67-19-168,reverse.theplanet.com

Here is additional info I was given by my security software:

OrgID: TPCM
CustName: ThePlanet.com Internet Services, Inc.
Street: 1333 North Stemmons Freeway
Street: Suite 110
City: Dallas
StateProv: TX
Country: US
PostalCode: 75207
RegDate: 1999-08-31
Updated: 2004-05-07
ReferralServer: rwhois://rwhois.theplanet.com:4321
OrgAbuseHandle: ABUSE271-ARIN
OrgAdminHandle: CROSB-ARIN
OrgNOCHandle: TECHN33-ARIN
OrgTechHandle: TECHN33-ARIN

NetHandle: NET-67-18-0-0-1
OrgID: TPCM
Parent: NET-67-0-0-0-0
NetName: NETBLK-THEPLANET-BLK-11
NetRange: 67.18.0.0 - 67.19.255.255
NetType: allocation
RegDate: 2004-03-15
Updated: 2004-07-29
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
TechHandle: PP46-ARIN

TechHandle: PP46-ARIN
TechName: Pathos, Peter
TechPhone: +1-214-782-7800
TechEmail: [email protected]

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: [email protected]

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: [email protected]

OrgAdminHandle: CROSB-ARIN
OrgAdminName: Crosby, Lance
OrgAdminPhone: +1-214-800-6008
OrgAdminEmail: [email protected]

OrgNOCHandle: TECHN33-ARIN
OrgNOCName: Technical Support
OrgNOCPhone: +1-214-782-7800
OrgNOCEmail: [email protected]

Here is additional info concerning the attack:

ICC Profile TagData Overflow
Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.



Description

This signature detects a buffer overflow condition in icm32.dll, exploited by rendering a malicious image file.


Additional Information

A buffer overflow has been reported in the icm32.dll. If the image contains International Color Consortium (ICC) data, icm32.dll will be loaded to process it.

A buffer overrun vulnerability exists in the processing images that contains a large ICC tag data size for any of the following tag entry signatures:

1)rXYZ
2)bXYZ
3)gXYZ

The purpose of the International Color Consortium® (ICC) format is to provide a cross-platform device profile format. Such device profiles can be used to translate color data created on one device into another device's native color space. The acceptance of this format by operating system vendors allows end users to transparently move profiles and images with embedded profiles between different operating systems. For example, this allows a printer manufacturer to create a single profile for multiple operating systems.



Affected:

All Windows.


Response

Visit the Microsoft Security Bulletin Page for patches.


Possible False Positives

There are no known false positives associated with this signature.
Whether this is serious or not I do not know. But according to Symantec it is. I was unable to use my back button as when I did I was informed that it was directing me to the attacking IP address. I had to completely shut down windows and re-boot my computer. I am also told that I have a malicious script in my temporary internet files.

Can anyone explain this to me?
 
This problem seems to be related to unpatched versions of Internet Explorer and the way it reacts to certain JPG files. There are ways for hackers to embed code into some picture files but most files that give this error are not hacks. Please make sure your system is patched by using Windows Update.

More info

=> Symantec Security Center
 
Q]And what is the lesson to be learned here, class?

A]Use any browser other than IE!

(Sorry, Mr. Gates! .... but you're gonna have to do something soon .......!)

ニ淡ニ停?。ニ停?
 
I use FireFox - so is my machine likely to be at risk also, or is it only IE that was made at risk? :?
 
Kinsao said:
I use FireFox - so is my machine likely to be at risk also, or is it only IE that was made at risk? :?
MS IE is filled with bugs etc..Why do you think they almost have an update every 5 minutes :eek:
 
By looking at that picture in your sig. Kinsao, it looks like you are already at risk :p
 
Index said:
By looking at that picture in your sig. Kinsao, it looks like you are already at risk :p

You don't think Kouji-san is manly? :eek: I don't think he'd be best pleased..... :box: :LOL:
 
Luckily I was not affected by this intruder as my Symantec security software stopped it. The "malicious script" message I got was because of the Symantec Security software preventing my providers "desktop doctor" from accessing my computer. I ran a virus scan and am clean and was not affected.

I hope everyone is using some kind of protection as I am attacked by trojan horses from China and Korea at least 2-3 times a week!
 
Pararousia said:
I have my entire computer wrapped in latex.

So ... your PC has a latex fetish .... ?

Hmmmm! ....... Methinks that's a little too much information, Pararousia .....! :rolleyes:

ニ淡ニ停?。ニ停?
 
Pachipro said:
Luckily I was not affected by this intruder as my Symantec security software stopped it. The "malicious script" message I got was because of the Symantec Security software preventing my providers "desktop doctor" from accessing my computer. I ran a virus scan and am clean and was not affected.

You won't get any attack from eupedia.jref.com. This is just the Europe Photo Gallery, and all the photos uploaded there must be approve to appear. I suppose that you got this warning message when reading a thread with pics attached from the gallery (like the one about European vs Japanese architecture). These are my pictures, so there is no risk at all.
 
thomas said:
This problem seems to be related to unpatched versions of Internet Explorer and the way it reacts to certain JPG files.

There was a security vulnerability reported last year (CAN-2004-0200), for which a security update was released. The earlier issue explicity dealt with JPEG files and shouldn't be confused with this similar sounding exploit.

The vulnerability Maciamo is talking about is related to the Color Management Module in Microsoft Windows (all versions from '98 onwards), which loads when it is required to process certain profile data of both image and non-image files. It is a Windows vulnerability which affects a wide range of files (not just JPEG) and is not limited to Internet Explorer. Downloading the patch mentioned earlier in the thread will fix this problem.

However, given that many users are not well versed in securing their PCs, I would suggest that as a responsible site, JREF should isolate and remove any files that may exploit this vulnerability as quickly as possible.
 
Thanks for the information folks !! Now I have some outside evidence for what my son (Junior in highschool here in Nagano, Japan, majoring in electronics--it's a tech school) has been telling me from Summer. . .
Me: "Sho...I really think there's something wrong with your PC, this IE doesn't always work right."
Sho: "Nobody who knows anything about computers uses that...IE is no good."
Me: "But at the office I never have any problems with it at all...."
Sho: "But it's still just no good. Use Opera."
Me: "Sho, you're only a highschool student, can you really say that?"
[the above quotes are 80% accurate] (this is just for a joke, here)

I'll keep my eyes open. Thanks Pachipro, and all !! 😌
 
The number of exploits in non-IE browsers (particularly Firefox) has been growing significantly in recent times. This is an inevitable consequence of any high profile software once it starts to gain significant market share. Your browser is a personal choice and while personally I do not use IE, many IT professionals do. It's not true to say that "nobody who knows anything about computers" uses it. However it does have more than its fair share of vulnerabilities, and it's slower and more bloated than some more recent releases from competitors.

These days, it is (sadly) the responsibility of all internet users to ensure that they monitor and take whatever measures possible to secure their PC. While the real villains are the virus/malware writers, if you leave the front-door of your house open when you go out, and return to find someone has stolen your DVD player, you only have yourself to blame. The same is true for protecting your PC. A significant proportion of internet traffic is now taken up by 'zombie PCs' infected with some form of malicious software. Things would run a lot faster for everyone if the owners of these PCs paid more attention to their personal security.
 
Silverpoint said:
However, given that many users are not well versed in securing their PCs, I would suggest that as a responsible site, JREF should isolate and remove any files that may exploit this vulnerability as quickly as possible.

What do you mean by removing those files ? Removing all the pictures from the Japan Gallery and Europe Gallery ? That won't happen.
 
Maciamo said:
What do you mean by removing those files ? Removing all the pictures from the Japan Gallery and Europe Gallery ? That won't happen.

You need to check your files (images predominantly) and make sure they are safe. If that means all of them need to be removed then yes, that's what you should do. However I find that extremely unlikely.
 
RockLee said:
MS IE is filled with bugs etc..Why do you think they almost have an update every 5 minutes :eek:

why do you use IE, when you have to update it every 5 minutes :?
 
Thank you Index. :) :giggle:

Which browser do you guys think is the best? FireFox is quite good but I am still aware that as it becomes more popular there is also the chance of problems. Also, I am puzzled as to why the majority of public computers (at least in the UK) and office computers seem to use IE when it is so vulnerable. Do businesses have better protection from these problems somehow? :?
 
Kinsao said:
You don't think Kouji-san is manly? :eek: I don't think he'd be best pleased..... :box: :LOL:

To be perfectly honest, I thought it was a girl.
 
mikecash said:
To be perfectly honest, I thought it was a girl.

If you could view smilies, I'd be using a lot of the 'lol' smilies here. But I'll spare you, because I'm nice like that. Please... don't tempt me to direct you towards a crotch photo... it's a very nice picture......... *happy smilie here*

Kouji sometimes dresses like a woman, but it never looks very convincing on him - he really is too manly... it makes him look like an unsuccessful drag queen.

Offtopic - me? Never! :LOL:
 
Sensuikan San said:
Q]And what is the lesson to be learned here, class?

A]Use any browser other than IE!

(Sorry, Mr. Gates! .... but you're gonna have to do something soon .......!)

ニ淡ニ停?。ニ停?彈/QUOTE]

Completely agree! I hate IE (and most microsoft products except Word, Excel, etc) with a passion :p

Anyway, I think there's a thread about other browsers people use. Seems people tend to like Firefox and Opera. Me, I'm on a mac, so I use Camino :)

Kinsao said:
You don't think Kouji-san is manly? :eek: I don't think he'd be best pleased..... :box: :LOL:

I always thought the VK artists intentionally tried to dress androgynously as part of their art, and maybe as a means to remove conventional concepts of masculinity/femininity.
 
lastmagi said:
I always thought the VK artists intentionally tried to dress androgynously as part of their art, and maybe as a means to remove conventional concepts of masculinity/femininity.

You are right and that is true. But Kozi is no longer a member of a VK band and hasn't been for a few years - Eve of Destiny is a "normal" goth band (hence white makeup and unusual clothes). And his solo-ness isn't anything especially VK. My avatar, however, dates from his Malice Mizer/VK time (chosen because I am female and I have no particular wish to mislead anyone by my avatar into thinking I am a guy! :p )
 
Pachipro said:
Can anyone explain this to me?
Norton claims there are no false positives for this signature. I think they are wrong. If you compare the known ICC exploit code to the sRGB IEC61966-2.1 Color Space Profile you will find that the resulting binary data are nearly identical.
Two suggested ways to avoid this problem:
  1. Content creators should remove embedded color profiles from images on their sites. This also reduces file size. ...OR...
  2. Windows users should remove Norton products from their PCs and replace them with better free alternatives.
 
Silverpoint said:
There was a security vulnerability reported last year (CAN-2004-0200), for which a security update was released. The earlier issue explicity dealt with JPEG files and shouldn't be confused with this similar sounding exploit.

The vulnerability Maciamo is talking about is related to the Color Management Module in Microsoft Windows (all versions from '98 onwards), which loads when it is required to process certain profile data of both image and non-image files. It is a Windows vulnerability which affects a wide range of files (not just JPEG) and is not limited to Internet Explorer. Downloading the patch mentioned earlier in the thread will fix this problem.

However, given that many users are not well versed in securing their PCs, I would suggest that as a responsible site, JREF should isolate and remove any files that may exploit this vulnerability as quickly as possible.

Then they'd have to ban signatures... Lemme give you some lessons i've learned about internet security that may help you out.

1. Don't trust Symantec for anythign.

2. Don't trust Mcafee for anything.

3. You need at least 3 types of antivirus (not 3 programs for AV, but 3 types) for adware, spyware, and malware.

4. Anything can be done through image files, HTML files, and such. Wether or not a hacker could succeed in their attempt depends on how the progam being used handles data. The "Jpeg of death" hack can still work with the update, but it won't automatically execute the code inside, so the file is now harmless for Windows people who have the update. For other OSes (such as mac or linux or Minuet (sp?)) might still have this vulnerability.

5. Software firewalls can be penetrated, best to get a hardware one. (Note: Routers come standard with hardware firewalls.)

That's all i can think of at the moment.
 
Back
Top Bottom