Exploits for JPEG vulnerability beginning to crop up

Exploits for JPEG vulnerability beginning to crop up

Exploits that take advantage of a vulnerability in the way software handles JPEG images are beginning to crop up, security analysts say.

Some Trojan image files bearing malicious code have been posted to Internet news groups, said Dan Schrader, director of product marketing for FaceTime Inc. of Foster City, Calif.

'You have to go to the news group and look at an image to get infected,' Schrader said.

More threatening is an instant message that contains a link to a an infected JPEG file. Clicking on the link downloads the image and can compromise an unprotected computer. FaceTime received a copy of the message from an antivirus researcher.

'I don't know if it's in the wild right now,' he said of the instant message. The number of computers actually infected through the vulnerability probably is small at this point. 'However, this is a very cool vulnerability,' and Trojan horses or worms that effectively spread the malicious code are expected to surface soon.

The vulnerability is a buffer overrun in the processing of JPEG image formats that could let remote code be executed on a compromised machine. The vulnerability affects a wide range of Microsoft products, but does not affect Windows XP upgraded with Service Pack 2.

Additional information about the vulnerability, with links for downloading updates to correct it, is available at http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx.

One of the things that makes the vulnerability attractive to hackers is that a large number of files that could contain the vulnerability could be scattered throughout a computer's hard drive. Microsoft's scanning tool looks for the vulnerability only in places where Microsoft puts those files, but other files could be located elsewhere.

'It's not like Microsoft's Automatic Update takes care of this,' Schrader said.

It took only about a week after the vulnerability was announced and a patch released on Sept. 14 before a tool kit to help hackers implement exploits was released.

Graphics have become a routine part of Internet content and it is not feasible to expect users not to download JPEG images, making it difficult to guard against this threat. Users should be careful about following links to unknown sites. Tools are available to block images being sent with instant messages, another possible route for spreading an infection.

This week could be an attractive time for hackers to exploit this vulnerability, Schrader said. The SANS Network Security Conference is being held in Las Vegas Sept. 28 through Oct. 4, and the Virus Bulletin 2004 conference is being held in Chicago Sept. 29 through Oct. 1.

'Half the security people are off in Chicago or Las Vegas this week,' Schrader said. 'It's the perfect time to release something in the wild.'

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above