Exploit posted for Microsoft JPEG flaw
It could be a precursor to actual attacks on vulnerable PCs
IDG News Service - Computer code that takes advantage of a flaw in the way many Microsoft Corp. applications process JPEG images has been published on the Internet and could be a precursor to actual attacks on vulnerable PCs, experts said.
The code was published late last week, only days after Microsoft revealed the "critical" vulnerability and made patches available to fix the problem (see story). A wide range of Microsoft software that processes JPEG images, including versions of its Windows and Office products, is vulnerable.
So far, only "proof-of-concept" code that can cause a vulnerable Web browser to crash or a PC to freeze has been published. A fully developed exploit would allow an attacker to take control of a victim's computer by remotely opening a command prompt or downloading and running malicious software, one expert said yesterday.
"Typically, a proof of concept is a first step toward a full-blown exploit," said Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center. "It is an indication that people are playing with it and experimenting to try and get it to work for other purposes, typically to open a remote shell or download and execute code."
Microsoft is aware of the exploit code and is investigating the matter, a company spokeswoman said. "Microsoft's early investigation of this code indicates that it can cause a computer that does not have [the patches] installed to stop responding, but it does not execute code remotely," she said.
Microsoft is urging all customers to immediately install the software updates it made available with Security Bulletin MS04-028. Customers who are still testing the patches should implement the work-around steps outlined in the bulletin, the software maker said.
The pattern to exploitation of the JPEG vulnerability isn't much different from with other vulnerabilities, according to the Internet Storm Center. Typically, proof-of-concept code is published a few days after details of the flaw are released, followed by a hunt to fully exploit the flaw. A worm or mass mailer is likely to surface by the end of the month, according to the organization's Web site.
While the race is on to create malicious code and there seems to be a real possibility for large-scale exploitation of the JPEG processing weakness, Ullrich hopes that won't happen.
"One thing that makes me think that this may not be this big is that these image format vulnerabilities, there are literally dozens of them, and for whatever reason they have not been widely exploited in the past," he said.
To take advantage of the flaw, an attacker would have to persuade auser to open a specially crafted image file. The image could be hosted on a Web site, included in an e-mail or Office document or hosted on a local network, Microsoft said last week. The vendor rates the flaw "important" for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1.
Under Microsoft's rating system for security problems, vulnerabilities that could allow a malicious Internet worm to spread without any action required on the part of the user are rated critical. Issues that do require a user action to spread a worm but could still expose user data or threaten system resources are rated important.
- Top 12 Laptop Bags for Mobile Pros
- Think Deleted Text Messages Are Gone Forever? Think Again
- 7 New Faces of the C-suite
- 5 Ways CIOs Can Rationalize Application Portfolios
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Alert Logic for PCI DSS Compliance To achieve PCI DSS compliance, you must identify and remediate all critical vulnerabilities detected during PCI scans. Threat Manager streamlines this process by...
- Cybersecurity Imperatives Reinvent Your Network Security With Palo Alto Networks The Rise of CyberSecurity
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts