Blocking JPEGs No Defense Against Windows Vulnerability

One of the standard security tactics enterprises apply won't work when defending PCs against threats posed by the image processing flaw found last week in Windows and numerous applications, security experts said Tuesday.

The JPEG bug in Windows XP and Windows Server 2003, as well as in a host of both Microsoft and non-Microsoft applications, can't be defended by blocking JPEG images at the gateway, said John Pescatore, vice president of Gartner's Internet security group.

"You can't simply block against this threat by file extension," said Pescatore, "since hackers could simply rename the file type and Windows would still process it as a JPEG. You'd pretty much have to block not only every image, but every file attachment to make this work. And you can't block everything."

The vulnerability's most likely avenue of exploit, experts said last week, is through delivering specially-crafted JPEG image files via e-mail. Users who open the attachments could put their computer at risk of hacker hijack.

Marcus Sachs of the Internet Storm Center seconded the motion. "If you decide to block JPEG attachments in e-mail, then you also need to consider blocking instant messaging, P2P, Web surfing, and 'allowed' attachments that could contain images, such as Microsoft Office applications," he wrote in an online advisory. "While it sounds like a easy quick-fix, blocking JPEG attachments is the wrong way to attack this problem. Save your energy for security battles that are more worthwhile."Instead, patch the operating system and the vulnerable Microsoft applications, particularly Office, as quickly as possible, urged Pescatore.

"Take away the browser and the [Outlook] e-mail client [from hacker exploit] and you've made it a whole lot harder for them," he said.

Most of Gartner's enterprise clients, said Pescatore, are feeding the Windows and Office fixes directly into their standard update and patching mechanisms, then waiting for other third-party vendors whose products may be vulnerable to announce fixes.

Fast patching is the best defense against the bug, agreed Ken Dunham, director of malicious code research at security intelligence provider iDefense. "Every day that goes by without a remote code execution exploit lowers the threat level for this vulnerability," he said.

Both Pescatore and Dunham noted that although proof-of-concept code has been circulating since last week, it's of minimal value to hackers, since all it can do is crash the targeted computer. "It's harder to create an exploit that lets an attacker run arbitrary code on the compromised machine," Dunham said."We don't consider this highly 'wormable,' " added Pescatore.

That could change, of course, if code was created and shared within the hacker underground which could allow for code to be run on the target PC to, for instance, download a Trojan backdoor or install a keylogger.

Pescatore and Dunham separately brought up the example of 2003's big-deal Slammer worm as one that took advantage of a similarly-widespread vulnerability. "One of the reasons why Slammer spread so fast," said Pescatore, "is that the vulnerable component was included in so many products, 97 by Microsoft's count. Not only do enterprises have to patch the operating system against the JPEG vulnerability, but they have to patch Microsoft products and third party products. That's what really screws it up."

"This reminds me of the Slammer situation," said Dunham. "Not in the severity of the threat, but that this JPEG vulnerability, like the SQL vulnerability, creates a complicated patch issue and so is something that will remain vulnerable for an extended period of time."