There are rumours going around about a jpeg exploit.

I have been contacted by a few people asking whats going on and are they safe.

My Answer is Yes, your safe. There are NO exploits at the moment.

The only exploit was the Buffer Overrun in JPEG Processing (GDI+) that could allow Code Execution. But that was 2 years ago. All software was patched, and windows update had the GDI+ fix.

Please don't worry about this. More info here:

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

Yes I had a few people ask me about this too. I don't know where it started but there are NO current active jpeg exploits. As Micron said, the Windows one, from two years ago, was patched long ago.

The only other thing that could have started this possibly out of confusion is new image and format exploits in Quicktime software. All users are strongly urged to upgrade to newly released Quicktime 7.1.

See info on Quicktime vulnerability here :
http://www.us-cert.gov/cas/techalerts/TA06-132B.html

Thanks for the clarification guys :king:

8) This is the first positive thing I've read so far. I was beginning to doubt the time table of the threat.
Thanks Folks!

Seems there is still some confusion, this was sent to me at another security forum,

Unforutnately this info is wrong...as the thread is REAL.

I talked to our experts and they checked on things.

They had stated that Paul at CastleCops actually ran some tests and the exploit is very much a real one.. unfortunately.

Also, I was wondering, is there any threat from using a 'hosted' jpeg from say ImageShack to use at a forum ?

I also heard of this source before I posted, and again. It looks like he is the only person in the world that's aware of this.

We affiliate and are members of so many 'Official' Security sites and products, and there is no mention of any said exploit. And besides, Castlecops claim to have stumbled upon this exploit, if so, why keep it amongst themselves and selfishly create a fix, without letting the rest of cyberland know?

At this stage, I question anything that Castlecops come up with. I don't rate them anyway as the ccsp 'training' is a bit of a mess and mostly taught by techie wannabees with conflicting information.

As I mentioned, sites like Neowin, Bink, and top Security Sites like: http://secunia.com/ and http://www.idefense.com/ have nothing and also claim there is no threat.

Saying this though, If there is an exploit and CCSP have found it, then good on them and well done for uncovering it. But, my original post is not wrong either (before someone comes and tells me it is). I stated that the is NO Exploit 'Publically' at the moment.

Conjecture, like whatever ccsp members have passed around is what makes people unduley panic (and its working, because it has people taking measures already). So until the real proof comes out, I'm sticking to my guns and stating there is No threat.

Most forums have protection against this, usually gd settings or other forms. So at present you would be safe. All forum providers would have patched this if it were true.

If there is an exploit whoever discovered it is keeping it to themselves, because there is zero mention of one on major security sites such as Micron said.

I also trust the Cert center sites as ones that would almost immediately have info on it once the exploit was public, and there is nothing.

http://www.cert.org/nav/index_red.html
http://www.us-cert.gov/cas/alerts/
http://www.us-cert.gov/cas/techalerts/

Thanks, there seems to be unwarented panic spreading, even to the point of sites banning any type of jpg whether they are uploaded or hosted.

Oh yea, I posted several jpg's here lately, beware!! :wink:

haha post away.

We back up the server a few times a day, and have a cron job (automated script) to back up certan databases every hour, so if we got hacked due to any exploit, we would be back in no time. The site and database are mirrored too, so in the event of a problem, the other backup will be implemented.

Im not worried. So feel free to keep posting. If an exploit happens, then precautions will be taken.

the sky is falling........

We have scaffolding.

Good to see you.

As far as I have heard late yesterday - the alarm is groundless.