New, dangerous Microsoft JPEG exploit code released

IDG News Service - New computer code that exploits a recently disclosed hole in Microsoft Corp.'s Internet Explorer Web browser is circulating on the Internet and could allow remote attackers to take full control of vulnerable Windows machines, according to warnings from antivirus companies and Internet security experts.
Two new "proof of concept" exploit programs first appeared yesterday and were posted to Web sites and Internet newsgroups frequented by security experts. The new code is more dangerous than an exploit for the vulnerability that appeared earlier this week (see story), since it allows malicious hackers to run their own code on vulnerable machines instead of just freezing or crashing Windows systems, according to Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center.
The two new exploits were published yesterday on the security discussion list Full-Disclosure and have also appeared on www.k-otik.com, a French language Web site that specializes in software exploits, Ullrich said.
The exploits take advantage of a flaw in the way Microsoft applications process JPEG image files, a common format for displaying images on the Web. Microsoft designated the flaw a "critical" problem and released a software patch for it, MS04-028, on Sept. 14. A Windows user would have to open a JPEG file that had been modified to trigger the flaw using a wide range of applications, such as the Internet Explorer Web browser or Outlook e-mail client.
The exploits create a JPEG file formatted to trigger an overflow in a common Windows component called Gdiplus.dll, used by Windows, Internet Explorer, Outlook and other applications, Elia Florio, a computer engineer in Rome who created the exploits and posted them to Full-Disclosure, said in an interview with IDG News Service.
The first exploit opens a command shell on a vulnerable Windows system when the rigged JPEG file is opened using Windows Explorer, which is used to browse file directories on Windows systems. While that, in itself, is not damaging, a remote attacker could easily add malicious commands to the script that would run on the affected system, Ullrich said.
The second exploit, published late yesterday, further modifies the attack code to add a new administrator-level account, named simply "X," to affected Windows systems when a JPEG file is opened through Windows Explorer. The account could then be used by the attacker to log into the machine using standard Windows networking features, he said.
In both cases, malicious commands could be executed only by using the permission level of the user running Windows Explorer, he said.
The new exploits could be

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.