Feeds

Microsoft warns of poisoned picture peril

JPEG of Death

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

The old bromide that promises you can't get a computer virus by looking at an image file crumbled a bit further Tuesday when Microsoft announced a critical vulnerability in its software's handling of the ubiquitous JPEG graphics format.

The security hole is a buffer overflow that potentially allows an attacker to craft a special JPEG file that would take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs. The poisoned picture could be displayed on a website, sent in email, or circulated on a P2P network.

Windows XP, Windows Server 2003 and Office XP are vulnerable. Older versions of Windows are also at risk if the user has installed any of a dozen other Microsoft applications that use the same flawed code, the company said in its advisory. The newly-released Windows XP Service Pack 2 does not contain the hole, but vulnerable versions of Office running atop it can still be attacked if left unpatched. Patches are available from Microsoft's website.

The company said it's not aware of the hole being publicly exploited in the wild, and has not seen any examples of proof of concept code.

The JPEG bug rounds out a growing menagerie of vulnerabilities in code that displays image files. Mozilla developers last month patched the open-source browser against a critical hole discovered in a widely-deployed library for processing PNG images. And last July, Microsoft simultaneously fixed two image display holes in Internet Explorer: one made users potentially vulnerable to maliciously-crafted BMP images, the second to corrupt GIF files. The GIF bug had been publicly disclosed 11 months earlier.

There was a time when the idea of a malicious image file was absurd enough to be the topic of an April Fools joke. One early and widely-circulated hoax message dating from 1994 warned users of a computer virus infecting the comment field of JPEG files.

"It was someone saying that just looking at a JPEG on your screen can get you a virus," recalls Rob Rosenberg, editor of the debunking site Vmyths.com. "In '94 it was a myth, but in '04 it's the real thing... We've got the JPEG of death now."

Copyright © 2004, SecurityFocus logo

Related story

First JPEG virus not a threat

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.