Vmyths.com


Hoaxes, myths,
urban legends

Columnists

Newsletter
signup

Addictive
Update
Model

False
Authority
Syndrome

About us

Computer
security
humor

Truth about computer security hysteria
Truth About Computer Security Hysteria

Still waiting for JPEGs to kill the Internet, part 2

Rob Rosenberger, Vmyths co-founder
Monday, 25 October 2004

Rob Rosenberger ON 29 SEPTEMBER, computer security vendor Finjan "warn[ed] that the global internet [sic] community is facing one of the greatest threats ever seen from the Internet." Diabolical employees at Finjan's "Malicious Code Research Center" found a way to make "extremely dangerous" JPEG files. And they bragged about it on a popular computer security mailing list.

We stand at 41 days since Micro­soft re­leased a patch to fix a JPEG vul­ner­a­bility. Based on what the ex­perts pre­dic­ted in Sep­tem­ber, you should be sprink­ling lime over your loved ones by now.
"Finjan believes that the potential damage caused by this threat could be devastating in its global harm and outreach," CEO Shlomo Touboul threatenedhissed. "It would be equivalent to the most malicious internet Worm [sic] ever seen so far."

I wanted to tell you about Finjan's dire revelation on 1 October. I really did. But {yawn} it slipped my mind for some strange reason. My bad.

Microsoft issued a patch two weeks before Finjan made their discovery — yet Touboul's folks didn't recommend that patch. Instead, Finjan urged everyone to download their "proactive" ex post facto elixir.

Our longtime readers will recall Finjan pulled almost exactly the same PR stunt in 1999. Click here to see the previous "biggest security hole in Internet history."

So. We now stand at 41 days since Microsoft released a patch to fix a JPEG image processing vulnerability — and 26 days since Finjan announced their own website can destroy the Internet. This forces us to ask an obvious question: "where are the mass graves?" Based on what the experts predicted in September, you should be sprinkling lime over your loved ones by now. At the very least, Arlington National Cemetery should be swamped with burials for cyber-warriors who gave their lives for a global spamocracy.

This JPEG vulnerability is, to quote Finjan's CEO, "devastating in its global harm and outreach." It'll take weeks for fingernails to grow out at the U.S. Department of Homeland Security. They know America could plunge into martial law if cyber-terrorists attack us with JPEGs one day before the presidential election.

I think Daily Show correspondent Steve Carell said it best. "Not only will this be the scariest Halloween ever, it will also be the scariest Thanksgiving and the scariest Christmas." All thanks to an ubiquitous image file format.


LET'S IGNORE THE absence of mass graves for a moment. We need to ask a different question: "why don't reporters continue to show an interest in this horrifying JPEG story?" Mainstream newswires completely overlooked two earth-shattering developments: Get this on a T-shirt!

  1. In a written statement, terrorist Abu Musa al-Zarqawi said JPEG now stands for "Jihad Palestine Electronic Gaza." He called on his followers to launch "suicide cyber attacks" using diabolically hand-crafted image files. However, there was no way to independently verify the statement's authenticity.
  2. The U.S. Occupational Safety & Health Administration now classifies JPEGs as "a potential hazard to workers who use computer equipment." OSHA has developed a new hazard symbol "that must be posted conspicuously wherever workers may be exposed to JPEGs, including employees' domiciles if they telecommute."
Doesn't the media realize we stand on the brink of imageddon? How can they focus on a second-rate presidential election when the fate of a first-world nation hangs in the balance? I mean, come on! We replace a president every 4-8 years; we can never replace the Internet.

Then again, this lack of press coverage may not be the media's fault. The more I think about it, the more I think we should blame secretary Tom Ridge at the U.S. Department of Homeland Security. I visited Ready.gov, his official "how to survive terrorism" website, and it still doesn't tell citizens what to do when Al Qaeda launches that big cyber-terror attack senator Charles Schumer and congresswoman Zoe Lofgren worry so much about.

Ready.gov reads like a "Worst Case Scenario" handbook. It tells you how to survive biological & chemical attacks, car bombs, nuclear explosions (!), and even your run-of-the-mill natural disasters — but it doesn't tell you how to survive a "suicide cyber attack." It urges you to stock up on duct tape, but it doesn't say squat about antivirus software or a hardware firewall.

Okay, okay. Enough sarcasm.

I spoke with Mikko Hyppönen (F-Secure) earlier this month and he seemed rather blasé about Microsoft's JPEG image processing vulnerability. In fact he summed it up quite nicely to a ZDNet reporter: "there was a similar vulnerability found two months ago in Bitmaps, and no one has exploited that yet."

Jimmy Kuo (McAfee) and Alex Shipp (MessageLabs) seemed equally blasé about it when I talked to them about JPEG threats. To paraphrase Kuo: it's just one more abused file format.

''Osama bin Virus!'' comedy album