On Sep 28, 2004, at 1:44 PM, Brion Vibber wrote:
On Sep 28, 2004, at 9:50 AM, Stephan Walter wrote:
What about the JPEG bug in Windows/GDI+?
http://www.easynews.com/virus.html
At least there's a *patch* for that. If you're up on your Windows
Updates, IE should not be vulnerable to that AFAIK.
Is there some test that the image file is valid?
There is, but I'm not sure if it catches this problem; I'll have to
check.
That particular file ('possibleVirus.jpg') does not pass our validity
test, and is thus not accepted for upload. I haven't (yet) scanned
existing uploads for this particular vulnerability, but the validity
check was up before Easynews's page about the exploit hit slashdot, at
least.
Note that this check is new and not yet in a 1.3 release package. Stock
1.3.3 does not check uploads for validity; I will try to get a 1.3.4
package out soon but am fighting with Internet Explorer's other
stupidities.
-- brion vibber (brion @
pobox.com)