Picture Processing Bug Puts Windows At Critical Risk

Security Bulletin MS04-028, dubbed "Buffer Overrun in JPEG Processing," affects Windows XP, Windows XP SP1, and Windows Server 2003, as well as a host of Microsoft applications, most notably those in the Office XP and Office 2003 suites.

The vulnerability, which Microsoft ranked as "Critical," the highest threat level in its four-step system, stems from a flaw in the processing of JPEG images, the ubiquitous format used for digital images. Virtually every digital camera, for instance, produces pictures in .jpg format, while the bulk of Web sites use images in that file format.

"Any time a vulnerability affects so many products, and can be used [by attackers] to do almost anything, it's cause for concern," said Craig Schmugar, a research manager at McAfee. "But we've not seen any proof of concept code for this, much less a working exploit."

A buffer overrun could be exploited by attackers who entice users to a Web site hosting specially-crafted images, or even more dangerous, who simply send HTML e-mail messages with attached images to users of Outlook 2002 or Outlook Express 6. Other attack avenues include Office documents with embedded .jpg images, or dropping images onto a network share and then getting users to preview the pictures with Windows Explorer.

id
unit-1659132512259
type
Sponsored post

Although Windows XP SP2 isn't affected by the vulnerability, it's still possible that those who have recently updated Windows are at risk if they have Office or any of the other problematic apps on their PCs.

"Any program that processes JPEG images could be vulnerable to this attack, and any system that uses the affected programs or components could be vulnerable to this attack," said Microsoft in the bulletin posted mid-day Tuesday. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

Once a hacker compromised a system using this exploit, he or she could take complete control of any system where the user is logged on with administrator privileges. From that point, anything's possible, including deleting data, formatting drives, or creating new user accounts.

Part of the problem with this vulnerability is its scope: it affects not just some of Microsoft's newest operating systems, but also a large number of its flagship applications, including Internet Explorer 6 SP1, Word, FrontPage, Excel, Outlook, Project, Visio, and Visual Studio .Net 2003. In other words, essentially every Microsoft app released in the last three years that processes .jpg images.

Also contributing to the problem is Microsoft's own bifurcated patch mechanism. Since many users have both a vulnerable OS and applications out of the Office line-up, and since Microsoft has yet to combine the patch processes for its operating systems and its applications, users have to go to two sites -- Windows Update and Office Update -- to obtain the fixes.

"You should install the required security update for each [emphasis ours] of the affected programs or affected components. This may require the installation of multiple security updates," said Microsoft in the bulletin.

To handle the chore, the online bulletin uses a Step 1 and Step 2 organization to walk users through the maze. And for users of pre-Windows XP operating systems, Microsoft has posted an ActiveX tool on the site that will sniff out vulnerable software.

In comparison, the other bulletin, tagged as MS04-028, rated as "Important," only affects users of Office 2000, Office XP, Office 2003, and the last four versions of the entry-level Works suite. Nor is it brand new: this bug is similar to once originally detailed and first patched in September, 2003.

This flaw lies within the converter that translates documents in WordPerfect 5.x format into Word, Works, FrontPage, or Publisher formats. If an attacker convinced a user to open a WordPerfect 5.x document, for example, he could trigger a buffer overrun and conceivably grab control of the PC.

Patches for this bug are available from the Office Update Web site.

This story courtesy of TechWeb News