[Am-info] Microsoft flaws could hit music traders

madodel@ptdprolog.net madodel@ptdprolog.net
Thu, 19 Dec 2002 13:11:29 -0500 

In <9EAA2A00-1372-11D7-B628-003065A24662@accidentalexpert.com>, on
12/19/02 at 08:55 AM,
   Mitch Stone <mitch@accidentalexpert.com> said:

>If we tried to discuss every security issue with Microsoft software, 
>we'd have a new topic every five days or so -- but this one does seem 
>different. It appears (at first blush, at least) to be deliberate.

More like a new topic almost daily.   But it keeps all those computer
security firms in business.

<SNIP>

>This is the second time in recent months that Microsoft has had a 
>problem with a common multimedia format. In November, the company  warned
>that its operating system's mishandling of the PNG (portable  network
>graphics) image format could allow a malicious program to  compromise a
>person's computer. Microsoft later upgraded the severity  of that
>vulnerability to "critical."

<SNIP>

The part about PNG images was reported on the PMView beta list about a
week ago.  PMView is an image viewer for OS/2 and windoze.  It doesn't
execute any embedded programs when one views an image. 

"Microsoft acknowledges this to be a dangerous risk using Internet
Explorer to look at images.

"...warned PC users that the flaw, which occurs in the handling of the
open-source image format PNG (portable network graphics), could enable
malicious programs to run on the victim's system. "It was very misleading
to call it a (moderate) risk," said Marc Maiffret, chief hacking officer
for eEye. "It is an exploitable vulnerability that can attack computers
just by (the user) looking at an image." "

 
The author of PMView, Peter Nielsen replied:

"Obviously Microsoft has added proprietary stuff to PNG decoding that
involves the possiblity of running code embedded in the PNG. I'm not too
surprised. Microsoft probably added this for some proprietary solution to
gain more flexibility or something and now the virus makers use it too
:-)"

So when is it a security flaw and when is it malicious code created
intentionally by microsoft?  How much time is spent at microsoft designing
these flaws into their products, and why do they do so?  And with PNG they
can point to an open source standard and say it is the culprit when in
fact they deliberately wrote code to create the problem.
 

Mark

-- 

 From the eComStation Desktop of: Mark Dodel

Warpstock 2002, In the home of OS/2 - Austin, Texas.  Were you there?   http://www.warpstock.org

For a choice in the future of personal computing, Join VOICE - http://www.os2voice.org

  "The liberty of a democracy is not safe if the people tolerate the growth of private power to a point where it becomes stronger than their democratic State itself.   That in it's essence, is Fascism - ownership of government by an individual, by a group or by any controlling private power." Franklin Delano Roosevelt, Message proposing the Monopoly Investigation, 1938