Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Picture Processing Bug Puts Windows At Critical Risk

As part of its monthly patching cycle, Microsoft on Tuesday rolled out a pair of security bulletins, including one rated "critical" that affects a bewildering array of the company's operating systems and applications, and puts systems at risk of hacker hijack.

Security Bulletin MS04-028, dubbed "Buffer Overrun in JPEG Processing," affects Windows XP, Windows XP SP1, and Windows Server 2003, as well as a host of Microsoft applications, most notably those in the Office XP and Office 2003 suites.

The vulnerability, which Microsoft ranked as "Critical," the highest threat level in its four-step system, stems from a flaw in the processing of JPEG images, the ubiquitous format used for digital images. Virtually every digital camera, for instance, produces pictures in .jpg format, while the bulk of Web sites use images in that file format.

"Any time a vulnerability affects so many products, and can be used [by attackers] to do almost anything, it's cause for concern," said Craig Schmugar, a research manager at McAfee. "But we've not seen any proof of concept code for this, much less a working exploit."

A buffer overrun could be exploited by attackers who entice users to a Web site hosting specially-crafted images, or even more dangerous, who simply send HTML e-mail messages with attached images to users of Outlook 2002 or Outlook Express 6. Other attack avenues include Office documents with embedded .jpg images, or dropping images onto a network share and then getting users to preview the pictures with Windows Explorer.

  • 1