Tool to exploit MS vulnerability is discovered

A tool has been created to simplify exploits against a recently announced vulnerability in the way Microsoft software handles JPEG images.

The tool described by iDefense Inc. of Reston, Va., as JPGDown.A, creates a malicious JPEG file that could compromise computers with the MS04-028 vulnerability, which was announced on Sept. 14.

'JPGDown.A significantly increases the likelihood of wide-spread MS04-028 attacks,' said Ken Dunham, iDefense director of malicious code. 'It is likely that Trojans and possibly worms will soon emerge in the wild now that such a tool and exploit code exists in the virus writing underground.'

The vulnerability is a buffer overrun in the processing of JPEG image formats that could let remote code be executed on a compromised machine. The vulnerability affects a wide range of Microsoft products, but does not affect Windows XP upgraded with Service Pack 2.

Additional information about the vulnerability, with links for downloading updates to correct it, is available here.

JPGDown.A has an executable program that creates a JPEG file of about 4,098 bytes that contains malicious code. The code is customized with a URL from which additional code can be downloaded to the exploited computer.

If the malicious file is executed on a vulnerable machine, it will initiate the download of the remote file from the attacker. Depending on the nature of the remote file, it could give the attacker control over the compromised computer.

Because so many programs are affected by the vulnerability, protecting systems against such an exploit could prove difficult, Dunham said.

'As seen with the SQL situation related to Slammer a couple of years ago, system administrators may be surprised to find that some of their computers on a patched network are still vulnerable,' he said.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above