Tag Archives: Code

Image flaw exposes Windows PCs

Microsoft has issued a warning about a critical vulnerability in Windows that could let carefully crafted pictures act as bearers of malicious code.

The flaw was found in the code that the operating system and other Windows programs use to display images prepared in the popular Jpeg format.

The vulnerability has been found in more than a dozen Microsoft programs.

Millions affected

At risk programs include Office XP 2003, Office 2003, Windows Server 2003, Internet Explorer 6 plus some versions of Digital Image Pro and Picture It.

The software giant urged all users who are at risk to download and install a patch for the vulnerability.

Microsoft has also produced a tool that helps users find out if they are running software that contains the vulnerable computer code.

It said that the flaw could only be exploited if users are tricked into opening an image crafted to exploit the vulnerability.

Anyone falling victim to the loophole could have their computer taken over by an attacker.

Microsoft said that it had no evidence that the Jpeg loophole was being actively exploited.

However, because Internet Explorer is one of the programs vulnerable it is theoretically possible that someone could fall victim to a virus written to exploit the flaw just by visiting a website that used such carefully crafted images.

Any image written to exploit the flaw could prove successful because before now people have fallen victims to e-mail viruses when they clicked on attachments that claimed to be a picture.

The flaw in the way that Windows handles the popular Jpeg file format is called a buffer over-run.

Many old viruses have used buffer over-runs to get malicious code on to target machines.

The advisory about the Jpeg flaw is the 28th advisory that Microsoft has issued this year. Often these advisories detail several vulnerabilities. One advisory issued in April mentioned more than 20 separate loopholes in Windows XP.

Microsoft said that anyone who has downloaded and installed the SP2 update for Windows XP is not at risk from this vulnerability.

However, anti-virus firm Sophos said those that have installed SP2 should not be complacent.

“If you are running applications on XP SP 2 which do have the flaw you could be putting your computer at risk,” said Graham Cluley from anti-virus firm Sophos.

Mr Cluley urged users in such a situation to download and apply the patch.

Link