_JPEG_ exploit?!

Rick Moen rick at linuxmafia.com
Thu Sep 16 14:27:44 PDT 2004


Quoting Strata R. Chalup (strata at virtual.net):

> I think it's likely to have something to do with extension shuffling, or 
> misleading extension types.  

Exactly what I had in mind.

Microsoft Corp. has a longstanding habit of relying on filename
extensions of untrustworthy files received from remote to determine what
to consider those files to contain (and what viewer / editor to hand
them off to) rather than either examining the file directly or using
MIME type information.  This has gotten them into deep trouble
repeatedly, and I'd be not at all surprised to hear that it's still
happening. 

The practice is _obviously_ incompetent, but as we know, their capacity
for corrective embarrassment at such things is slim to none.

I'd also not be at all surprised to find out that a "security advisory" 
deliberely obscures that fact (if such turns out to be the case).




More information about the Baylisa mailing list