Major graphics flaw threatens Windows PCs


P

Paul Brown

Cripes almighty. Is there not one thing that Microsoft doesn't have
problems with? Viruses in jpeg images?? Come on, It's getting to the
point of retardedness. What's next?


http://news.com.com/Major graphics flaw threatens Windows PCs/2100-1002_3-5366314.html

Cripes almighty. Is there not one thing that Microsoft doesn't have
problems with? Viruses in jpeg images?? Come on, It's getting to the
point of retardedness. What's next? Viruses imbedded in background
colors. Oh for shame.

Major graphics flaw threatens Windows PCs

Microsoft published on Tuesday a patch for a major security flaw in
its software's handling of the JPEG graphics format and urged
customers to use a new tool to locate the many applications that are
vulnerable.

The critical flaw has to do with how Microsoft's operating systems and
other software process the widely used JPEG image format and could let
attackers create an image file that would run a malicious program on a
victim's computer as soon as the file is viewed. Because the software
giant's Internet Explorer browser is vulnerable, Windows users could
fall prey to an attack just by visiting a Web site that has affected
images.

The severity of the flaw had some security experts worried that a
virus that exploits the issue may be on the way.

"The potential is very high for an attack," said Craig Schmugar, virus
research manager for security software company McAfee. "But that said,
we haven't seen any proof-of-concept code yet." Such code illustrates
how to abuse flaws and generally appears soon after a software maker
publishes a patch for one of its products.

The flaw affects various versions of at least a dozen Microsoft
software applications and operating systems, including Windows XP,
Windows Server 2003, Office XP, Office 2003, Internet Explorer 6
Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The
software giant has a full list of affected applications in the
advisory on its Web site. Windows XP Service Pack 2, which is still
being distributed to many customers' computers, is not vulnerable to
the flaw.

"The challenge is that (the flawed function) ships with a variety of
products," said Stephen Toulouse, security program manager for
Microsoft's incident response center.

Because so many applications are affected, Microsoft had to create a
separate tool to help customers update their computers. Users of
Windows Update will also be directed to the software giant's Office
Update tool and then to the tool that will find and update imaging and
development applications. The tools are a preview of what may come
from the company in the future, Toulouse said.

"We know one of the most important things that we hear from customers
is to make the software update process easier," he said. "A goal of a
unified update mechanism is what we are looking at."

Out of necessity, Linux distributions have already developed such
unified update software, which not only updates the core operating
system but also other applications created by the open-source
community. The majority of Windows applications, however, are created
by companies other than Microsoft, making such a unified update system
more politically difficult to create.

The JPEG processing flaw enables a program hidden in an image file to
execute on a victim's system. The flaw is unrelated to another image
vulnerability found in early August. That vulnerability, in a common
code library designed to support the Portable Network Graphics, or
PNG, format, affected applications running on Linux, Windows and
Apple's Mac OS X. Both the JPEG, which stands for Joint Photographic
Experts Group, and PNG formats are commonly used by Web sites.

As part of a notification program that has been in place since April
2004, any customer that had signed a nondisclosure agreement with
Microsoft received a three-day advance warning about the JPEG flaw.

"Some customers wanted to get more information, for planning
purposes," Toulouse said, responding to media reports that premium
customers were getting advanced notice of security issues. He directed
interested customers to their Microsoft sales representative to get
more information on the program. The information given to participants
in the program is limited to the number of flaws, the applications
affected and the maximum threat level assigned to the flaws.

The JPEG image-processing vulnerability is the latest flaw from
Microsoft and the source of the company's 28th advisory this year.
Microsoft frequently includes multiple issues in a single advisory;
four advisories in April, for example, contained more than 20
vulnerabilities.

A second patch released by Microsoft on Tuesday fixes a flaw in the
WordPerfect file converter in Microsoft Office, Publisher, Word and
Works. That flaw is rated "important," Microsoft's second-highest
threat level, just below "critical." The vulnerability would let an
attacker take control of the victim's PC, if that user opened a
malicious WordPerfect document.

More information on the second flaw can be found in the advisory on
Microsoft's Web site. The software giant recommends that customers use
Office Update to download the fix.
 
Ad

Advertisements

V

Vanguardx

Paul Brown said:
Cripes almighty. Is there not one thing that Microsoft doesn't have
problems with? Viruses in jpeg images?? Come on, It's getting to the
point of retardedness. What's next?


http://news.com.com/Major graphics flaw threatens Windows PCs/2100-1002_3-5366314.html
<snip>

Read http://www.microsoft.com/security/bulletins/200409_jpeg_tool.mspx.
Then note the statement:

"Important Windows XP Service Pack 2 (SP2) is not affected by this
issue. Windows XP SP2 users only need to update Office (if installed)."
 
J

John Butler

Vanguard,
Right on!
Out of any public group of complainers about a Microsoft release there are
only 2% who have read the notes.
Jon
 
T

Tom

Well, while I feel the OP is being a complainer, because this affects Linux, Mac and any users that use imaging software that pertains to the JPEG format. The advantage Linux has, is that it is Open Source, and the developers already had a fix, and it fixes the core OS of Linux, plus any apps written to work with it. MS has a big limitation to this because of it being totally proprietary, and they lag behind somewhat in getting a fix out to the public since many apps use imaging apps use JPEG..

Anyway, aside from the OP's beef, I have one for MS concerning this. As the OP apparently DIDN'T read the alert at MS regarding SP2, I found something that really pissed me off. I got an alert via MS email updates regarding this. So when I read what it was about, I updated my Office 2003, since I have SP2 for XP. The problem is, this alert shows up at WU as a critical update, that has a 0 byte file size to be downloaded. You'd think after all this stuff we went through for SP2 and the requirement to have WU on, they have the freaking system setup to be intuitive enough to at least not show that as needed since their website alert states it IS NOT needed for anyone with SP2 for XP.
 
Ad

Advertisements

C

C. A. Upsdell

Paul Brown said:
Cripes almighty. Is there not one thing that Microsoft doesn't have
problems with? Viruses in jpeg images?? Come on, It's getting to the
point of retardedness. What's next?

The update fixes a buffer overflow problem, not a virus problem per se.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top