 |
 First JPEG virus on the move
September 16, 2004
Microsoft on Tuesday has announced its discovery of new and potentially critical type of computer virus--malicious code contained in a JPEG graphic file format.
It is the first time in a PC viruses' history, that a mere looking at a photo or picture of JPEG format might jeopardize the security of your machine. "It was someone saying that just looking at a JPEG on your screen can get you a virus," recalls Rob Rosenberg, editor of the debunking site Vmyths.com. "In '94 it was a myth, but in '04 it's the real thing... We've got the JPEG of death now."
The security hole is a buffer overflow that potentially allows an attacker to craft a special JPEG file that would take control of a victim's machine as soon as the file is viewed through Internet Explorer, Outlook, Word, Project, Visio, Picture It, Digital Image Pro and many other programs. The infested picture could be displayed on a website, sent in email, or circulated on a P2P network. The JPEG processing flaw enables a program hidden in an image file to execute on a victim's system. Microsoft has called this vulnerability "critical" and urges every Windows or Office user to get a patch found on its Office Update and Windows Update Web site.
Windows XP, Windows Server 2003 and Office XP are vulnerable. Older versions of Windows are also at risk if the user has installed any of a dozen other Microsoft applications that use the same flawed code, the company said in its advisory. The newly-released Windows XP Service Pack 2 does not contain the hole, but vulnerable versions of Office running on it can still be exploited if left unpatched.
The severity of the flaw had some security experts worried that a virus exploiting the issue may be on the way. "The potential is very high for an attack," said Craig Schmugar, virus research manager for security software company McAfee. "But that said, we haven't seen any proof-of-concept code yet." Such code illustrates how to abuse flaws and generally appears soon after a software maker publishes a patch for one of its products.
The JPEG bug emphasizes a growing number of vulnerabilities in code that displays image files. Mozilla developers last month patched the open-source browser against a critical hole discovered in a widely-deployed library for processing PNG images. And last July, Microsoft simultaneously fixed two image display holes in Internet Explorer: one that made users potentially vulnerable to maliciously-crafted BMP images, the second to corrupt GIF files. The GIF bug had been publicly disclosed 11 months earlier.
|
|
