September 14, 2004 1:24 PM PDT

Major graphics flaw threatens Windows PCs

Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable.

The critical flaw has to do with how Microsoft's operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim's computer as soon as the file is viewed. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images.

The severity of the flaw had some security experts worried that a virus that exploits the issue may be on the way.

"The potential is very high for an attack," said Craig Schmugar, virus research manager for security software company McAfee. "But that said, we haven't seen any proof-of-concept code yet." Such code illustrates how to abuse flaws and generally appears soon after a software maker publishes a patch for one of its products.

The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of affected applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

"The challenge is that (the flawed function) ships with a variety of products," said Stephen Toulouse, security program manager for Microsoft's incident response center.

Because so many applications are affected, Microsoft had to create a separate tool to help customers update their computers. Users of Windows Update will also be directed to the software giant's Office Update tool and then to the tool that will find and update imaging and development applications. The tools are a preview of what may come from the company in the future, Toulouse said.

"We know one of the most important things that we hear from customers is to make the software update process easier," he said. "A goal of a unified update mechanism is what we are looking at."

Out of necessity, Linux distributions have already developed such unified update software, which not only updates the core operating system but also other applications created by the open-source community. The majority of Windows applications, however, are created by companies other than Microsoft, making such a unified update system more politically difficult to create.

The JPEG processing flaw enables a program hidden in an image file to execute on a victim's system. The flaw is unrelated to another image vulnerability found in early August. That vulnerability, in a common code library designed to support the Portable Network Graphics, or PNG, format, affected applications running on Linux, Windows and Apple's Mac OS X. Both the JPEG, which stands for Joint Photographic Experts Group, and PNG formats are commonly used by Web sites.

As part of a notification program that has been in place since April 2004, any customer that had signed a nondisclosure agreement with Microsoft received a three-day advance warning about the JPEG flaw.

"Some customers wanted to get more information, for planning purposes," Toulouse said, responding to media reports that premium customers were getting advanced notice of security issues. He directed interested customers to their Microsoft sales representative to get more information on the program. The information given to participants in the program is limited to the number of flaws, the applications affected and the maximum threat level assigned to the flaws.

The JPEG image-processing vulnerability is the latest flaw from Microsoft and the source of the company's 28th advisory this year. Microsoft frequently includes multiple issues in a single advisory; four advisories in April, for example, contained more than 20 vulnerabilities.

A second patch released by Microsoft on Tuesday fixes a flaw in the WordPerfect file converter in Microsoft Office, Publisher, Word and Works. That flaw is rated "important," Microsoft's second-highest threat level, just below "critical." The vulnerability would let an attacker take control of the victim's PC, if that user opened a malicious WordPerfect document.

More information on the second flaw can be found in the advisory on Microsoft's Web site. The software giant recommends that customers use Office Update to download the fix.

21 comments

Join the conversation!
Add your comment
Once again, just install SP2....
And you won't need to worry about it.
Posted by (127 comments )
Reply Link Flag
How convenient...
How convenient for Microsoft that this flaw was suddenly just now "discovered" and that SP2 fixes it.

Its just my personal opinion but I find that the more a company wants me to upgrade when I dont need to the less I want to. At this point SP2 is starting to feel more and more like a gun to the head.
Posted by Fray9 (547 comments )
Link Flag
But
This is fine if you have XP but not any of the previous versions.
Duh!
Posted by wrwjpn (113 comments )
Link Flag
dude, you must be paid by MS
Are you paid by MS my friend?, I think they have an entire staff just to post not so clever comments with each Cnet news that shows how bad MS products are... (and there must be hundreds of people in that team :) ).

I can't imagine a respectable IT professional just saying "yes the software was made very badly, but don't worry, as long as you install a buggy patch when MS decides to create it its OK".

MS patches come veeeeeryyyyy slllllloooooowwwwww, the only reason for that is that the code is so complex that you have to patch on top of other patches..... So even if you configure to patch every 5 minutes, you will still be vurnerable for a month until MS finally ends up with the superpatch.

Greetings from Mexico
Posted by (23 comments )
Link Flag
Once again, just ditch Windows
If I were in this situation, I wouldn't put up with it for another
minute.
Posted by iKenny (98 comments )
Reply Link Flag
You just don't get it, do you?
Windows isn't the problem, it's the people who spend all their time trying to figure out ways to exploit the system.

But hey, go right ahead and "ditch windows" and run off to your precious little linux. The sooner people do that, the sooner that commodity POS OS becomes the favorite target of virus writers.
Posted by (127 comments )
Link Flag
Is there anything these guys don't mess up?
Come on, a vulnerability when viewing JPEG files? This is getting totally rediculous.

M$ can have a big talent in marketing, but they have an even bigger talent in finding ways to put vulnerabilities into stuff that is invulnerable.

Don't get it...
Posted by Steven N (487 comments )
Reply Link Flag
Thankfully. no.
The brains at Redmond are so busy putting direct pressure on
XP's wounds that they have little time for anything else. This is
good, because anything else they promolgated on society might
be just a bad, or maybe worse.

So, look the bright side, Windows fans. If MS released Longhorn
you would have twice as much to complain about.
Posted by (55 comments )
Link Flag
Not really new news
I recall that someone said that this was possible a few years back.

They theorized that it was possible to ACTIVATE a pre-installed program just by openning a JPG file.

However, it didn't theorize the possibility of really poor code that will decode a JPG and run it as a virus.

This one is REALLY bad, even for Microsoft.
Posted by Tex Murphy PI (165 comments )
Reply Link Flag
Yep.
You got that right. It's fascinating how the dates change but the
names stay the same.
Posted by (55 comments )
Link Flag
Anyone else notice CNET keeps this story prominent?
Even though it was posted 20 hours ago, it's third story from the top among much newer news releases.

CNET == BIASED NEWS COMPANY.
Posted by (127 comments )
Reply Link Flag
Maybe it's because...
Most of the people who'll be viewing this site will be using Windows, therefore they'll be vulnerable to the bug. As a news site, it's their duty to get the news to the people that need to see it, and most people need to see this article.
Posted by Not Bugged (195 comments )
Link Flag
Longhorn 64-bit released ahead of schedule
Cnet would have nothing bad to report about Microsoft if there
was nothing bad to report about Windows.

I'm sure that when MS announces the first commercial release of
its new 64-bit OS with WinFS that cnet will be the first to tell the
world the wonderful news that the new and improved OS only
requires 2 GB of RAM and 4 GB of disc space.
Posted by (55 comments )
Link Flag
Hmmm . . . CNET
Morning Dispatch -- Headline Number 1

"1. Flaws threaten Windows, Linux PCs"

*********************************************
Truth in journalism . . . The JPEG flaw threatens all Internet connected XP and higher machines and pretty much everything running IE.

This flaw is going to expose alot of people.

_THIS_IS_BAD!_ Lots-o-Risk!

*********************************************
As well, on another note, SAMBA has a vulnerability. It isn't Linux that has the vulnerability. Although SAMBA is found on alot of Linux servers, it isn't on every Linux box. And, SAMBA is an enterprise server service. If an employee launched a DOS attack at a SAMBA server, they would be dismissed.

This flaw won't expose anyone unless they are stupid enough to run SAMBA on the Internet. And, then, you still can't take over the server . . . just make it unavailable.

_THIS_IS_NOT_SO_BAD!_ Minimal risk . . .

*********************************************
So, CNET has misrepresented/scewed the truth once more. Kinda makes you wonder who signs their checks . . .

One thing is for certain. They will say there is something wrong with Linux every chance they can get.

FYI - I am not a Linux zealot. I use what works. I use what is realiable. And, I use what is secure. Other than that, I don't care what I use as long as I can get my work done.
Posted by 48911984 (10 comments )
Reply Link Flag
Don't make me guess.
What works for you? C'mon, tell us.
Posted by (55 comments )
Link Flag
Complete Waste of Time
Once again, news.com published an article that isn't really news just to get the Linux zealots to beat their drums.

Wow... a flaw in an Operating System that has ALREADY been patched. BEFORE it was EVER exploited. Amazing. So very news worthy.

Keep up the good work, Microsoft.
Posted by David Arbogast (1709 comments )
Reply Link Flag
Probably not patched...
You may have patched it, the other people reading this article may have patched it, but a large amount of people won't have patched it. Many PC users struggle sending e-mail. Many treat a PC as a glorified console. These people won't have patched the OS, and these are the people for whom this article is written.
Posted by Not Bugged (195 comments )
Link Flag
You funny, man!
I do recall the chorus of condemnation from Windows World
when it was announced by Intego that OS X was susceptible to a
Trojan Horse.

Now, Windows users suffer a similar fate, but dismiss the threat.

I get it now!

When OS X is discovered to have a security problem this IS news,
because OS X is inherently more secure. When Windows is
discovered to have a security problem it is NOT news, because,
well, its Windows - what else?
Posted by (55 comments )
Link Flag
What...
What Microsoft can't even get JPG support right now. Just how pathetic are they going to get?

Robert
Posted by (336 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.