On September 14, Microsoft issued a security bulletin alerting users to an
image-processing vulnerability affecting several pieces of software, including
Windows XP. Within days, proof of concept of a viral exploit was available
on the Internet. Shortly thereafter, sample code, called "JPEG of Death,"
and a hacking tool for generating malicious programs were also circulating
the cyber-underground.
The quick work of the virus makers isn't out of the ordinary. What makes this
threat different from most viruses, worms, and other malware is that no user
intervention is needed to launch it. For example, simply visiting a webpage
displaying a tainted image or reading an HTML-rendered e-mail message may
be all that's needed to execute hidden code. Within two weeks of Microsoft's
bulletin, JPEG images that attempted to use this method to install Trojan
horses were posted to several newsgroups.
These early attempts are crude and, lacking a method to replicate, are not
true viruses. But as the tools and techniques for embedding malicious code
in images continue to evolve, more sophisticated attacks may be right around
the corner. In fact, eWeek recently reported on a version that uses the JPEG
bug to download Trojan horses that cause an infected system to send out spam
for phishing scams.
How it works
The JPEG viral exploit takes advantage of a bug with Microsoft's Graphics
Device Interface Plus (GDI+) used by the operating system and several applications.
Code embedded in a JPEG's comments section can cause a buffer overflow condition
and expose systems to remotely executed programs, spyware, intrusion, and
other attacks. This PC Magazine article gives a more detailed explanation
of the JPEG exploit’s mechanisms.
This vulnerability affects a wide range of software that use GDI+, including:
Microsoft Windows XP and Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Visual Studio .NET 2002 and 2003
.NET Framework 1.0 SP2, 1.0 SDK SP2, and 1.1
Microsoft Office XP SP3 and Office 2003
Avoiding the threat
Fortunately, protecting Windows systems and PCs from this vulnerability is
fairly straightforward and painless. By installing Windows XP Service Pack
2 and Microsoft and third-party patches now, you can correct the flaw with
GDI+ before a serious JPEG worm rises from the hacker underworld.
Install Windows XP Service Pack 2.
Run Windows Update to detect and install other necessary patches.
Microsoft Office users should run Office Update to detect and install needed patches.
Install software patches from third-party applications. Some non-Microsoft applications use GDI+. Visit their websites for information.
Update anti-virus software.
Complete instructions and details, including a full list of affected Microsoft applications, are posted in Microsoft Security Bulletin MS04-028.
To further protect yourself and your computer always make sure you trust the
Web site and its company so you can avoid malicious programs. In terms of
email, if you don't recognize the sender or they aren't in your address book
then don't take chances by opening the message.
The opinions expressed in this column are those of the author, not of JASystemsInc.com. All answers are intended to be general in nature, without regard to specific geographical areas or circumstances, and should only be relied upon after consulting an appropriate expert, such as an attorney or accountant.
