off the Press - Product News & Commentary
Sept. 22, 2004 - IDG Mews
Published Code Targets Flaw in JPEG
Computer code that takes advantage of a flaw in the
way many Microsoft applications process JPEG images has been published
on the Internet and could be a precursor to actual attacks on vulnerable
PCs, experts say.
The code was published late last week, only days after Microsoft revealed
the "critical" vulnerability and made available patches to
fix the problem. Any application that processes JPEG images could be
vulnerable. A wide range of Microsoft software, including versions of
its Windows and Office products, are vulnerable.
This is a Test -
So far only "proof-of-concept" code has been published, which
can cause a vulnerable Web browser to crash or a PC to freeze. A fully
developed exploit would allow an attacker to take control of a victim's
computer by remotely opening a command prompt or downloading and running
malicious software, one expert says.
"Typically a proof of concept is a first step towards a full blown
exploit," says Johannes Ullrich, chief technology officer at The
SANS Institute's Internet Storm Center. "It is an indication that
people are playing with it and experimenting to try and get it to work
for other purposes, typically to open a remote shell or download and
Microsoft is aware of the exploit code and is investigating the matter,
a company spokesperson says. "Microsoft's early investigation of
this code indicates that it can cause a computer that does not have
[the patches] installed to stop responding, but it does not execute
code remotely," she says.
Microsoft urges all
customers to immediately install the software updates it made available
with Security Bulletin
MS04-028. Customers who are still testing the patches should implement
the workaround steps outlined in the bulletin, the Redmond, Washington,
software maker says.
The pattern to exploitation of the JPEG vulnerability is not much different
than with other vulnerabilities, according to the SANS Institute's Internet
Storm Center. Typically proof-of-concept code is published a few days
after details of the flaw are released followed by a hunt to fully exploit
the flaw. A worm or mass mailer is likely to surface by the end of the
month, according to the organization's Web site.
While the race is on to create malicious code and there seems to be a
real possibility for large scale exploitation of the JPEG processing weakness
appears, Ullrich has some hope that it won't be.
"One thing that makes me think that this may not be this big is that
these image format vulnerabilities, there are literally dozens of them,
and for whatever reason they have not been widely exploited in the past,"
To take advantage of the flaw, an attacker would have to persuade a user
to open a specially crafted image file. The image could be hosted on a
Web site, included in an e-mail or Office document or hosted on a local
network, Microsoft said last week. The vendor rates the flaw "important"
for many of its products, but "critical" for Outlook versions
2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP (news
- web sites) and Windows XP with Service Pack 1, Windows Server 2003,
and the.Net Framework 1.0 with Service Pack 2 and.Net Framework 1.1.