As part of its monthly patching cycle, Microsoft on Tuesday rolled out a pair of security bulletins, including one rated "critical" that affects a bewildering array of the company's operating systems and applications, and puts systems at risk of hacker hijack.
Security Bulletin MS04-028, dubbed "Buffer Overrun in JPEG Processing," affects Windows XP, Windows XP SP1, and Windows Server 2003, as well as a host of Microsoft applications, most notably those in the Office XP and Office 2003 suites.
The vulnerability, which Microsoft ranked as "Critical," the highest threat level in its four-step system, stems from a flaw in the processing of JPEG images, the ubiquitous format used for digital images. Virtually every digital camera, for instance, produces pictures in .jpg format, while the bulk of Web sites use images in that file format.
"Any time a vulnerability affects so many products, and can be used [by attackers] to do almost anything, it's cause for concern," said Craig Schmugar, a research manager at McAfee. "But we've not seen any proof of concept code for this, much less a working exploit."
A buffer overrun could be exploited by attackers who entice users to a Web site hosting specially-crafted images, or even more dangerous, who simply send HTML e-mail messages with attached images to users of Outlook 2002 or Outlook Express 6. Other attack avenues include Office documents with embedded .jpg images, or dropping images onto a network share and then getting users to preview the pictures with Windows Explorer.