Windows JPEG Exploit Ventures into the WildBy Ian Betteridge | Posted 2004-09-28 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
The first example appears in the wild as a program that installs a Trojanraising fears that more sinister exploits could be on the way.The first example of a working program designed to exploit a bug in Microsoft's GDI+ librarywhich allows malicious code to be run simply by viewing a JPEG imagehas been found in the wild.
EasyNews, a provider of Usenet newsgroup services, claimed it had already found two images containing code designed to take advantage of the flawby downloading remote control software to infected machines. In theory, this would give the creators of the images access to both files on infected machines, as well as giving them the ability to run remote programs on them.
According to a posting on EasyNews' Web site, the company "wrote a quick and nasty script to scan every JPEG that comes onto EasyNews.com. It paged my cell phone at 6:47 p.m. PDT on Sept. 26 for the first hit, and 7:52 p.m. PDT for the second hit."
Although the examples found by EasyNews do not replicate, the discovery of code exploiting the bug in the wild is bound to raise fears that other, more sophisticated programs exploiting the JPEG bug will appear.
The found images exploit a vulnerability in the Microsoft GDI+ Type Library that allows a specially formed JPEG image to compromise the system and execute any arbitrary code, even when simply viewing the image in an HTML e-mail. The problem is particularly acute because anti-virus products do not always scan nonexecutable files, although it is understood that a version of Norton Anti-Virus 2005 patched with virus definitions dated Sept. 15 is capable of spotting a malicious JPEG.
Microsoft has already issued patches for the problem. But as the problem affects many Microsoft productsincluding Windows XP, Windows Server 2003, Office XP and 2003 and .NET Framework 1.0there are likely to be many unpatched systems and applications online.
Windows XP Service Pack 2 (SP2) is not affected, although SP2 users may need to acquire patches for applications they use. Windows 98, ME, NT and 2000 are also not affected, but they may run applications that are. Users can check for updates at Microsoft's security Web page.
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.