Major graphics flaw threatens Windows PCs
Microsoft published on Tuesday a patch for a major security flaw in its
software's handling of the JPEG graphics format and urged customers to use a
new tool to locate the many applications that are vulnerable.
The critical flaw has to do with how Microsoft's operating systems and other
software process the widely used JPEG image format and could let attackers
create an image file that would run a malicious program on a victim's
computer as soon as the file is viewed. Because the software giant's
Internet Explorer browser is vulnerable, Windows users could fall prey to an
attack just by visiting a Web site that has affected images.
The severity of the flaw had some security experts worried that a virus that
exploits the issue may be on the way.
"The potential is very high for an attack," said Craig Schmugar, virus
research manager for security software company McAfee. "But that said, we
haven't seen any proof-of-concept code yet." Such code illustrates how to
abuse flaws and generally appears soon after a software maker publishes a
patch for one of its products.
The flaw affects various versions of at least a dozen Microsoft software
applications and operating systems, including Windows XP, Windows Server
2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project,
Visio, Picture It and Digital Image Pro. The software giant has a full list
of affected applications in the advisory on its Web site. Windows XP Service
Pack 2, which is still being distributed to many customers' computers, is
not vulnerable to the flaw.
"The challenge is that (the flawed function) ships with a variety of
products," said Stephen Toulouse, security program manager for Microsoft's
incident response center.
Because so many applications are affected, Microsoft had to create a
separate tool to help customers update their computers. Users of Windows
Update will also be directed to the software giant's Office Update tool and
then to the tool that will find and update imaging and development
applications. The tools are a preview of what may come from the company in
the future, Toulouse said.
"We know one of the most important things that we hear from customers is to
make the software update process easier," he said. "A goal of a unified
update mechanism is what we are looking at."
Out of necessity, Linux distributions have already developed such unified
update software, which not only updates the core operating system but also
other applications created by the open-source community. The majority of
Windows applications, however, are created by companies other than
Microsoft, making such a unified update system more politically difficult to
create.
The JPEG processing flaw enables a program hidden in an image file to
execute on a victim's system. The flaw is unrelated to another image
vulnerability found in early August. That vulnerability, in a common code
library designed to support the Portable Network Graphics, or PNG, format,
affected applications running on Linux, Windows and Apple's Mac OS X. Both
the JPEG, which stands for Joint Photographic Experts Group, and PNG formats
are commonly used by Web sites.
As part of a notification program that has been in place since April 2004,
any customer that had signed a nondisclosure agreement with Microsoft
received a three-day advance warning about the JPEG flaw.
"Some customers wanted to get more information, for planning purposes,"
Toulouse said, responding to media reports that premium customers were
getting advanced notice of security issues. He directed interested customers
to their Microsoft sales representative to get more information on the
program. The information given to participants in the program is limited to
the number of flaws, the applications affected and the maximum threat level
assigned to the flaws.
The JPEG image-processing vulnerability is the latest flaw from Microsoft
and the source of the company's 28th advisory this year. Microsoft
frequently includes multiple issues in a single advisory; four advisories in
April, for example, contained more than 20 vulnerabilities.
A second patch released by Microsoft on Tuesday fixes a flaw in the
WordPerfect file converter in Microsoft Office, Publisher, Word and Works.
That flaw is rated "important," Microsoft's second-highest threat level,
just below "critical." The vulnerability would let an attacker take control
of the victim's PC, if that user opened a malicious WordPerfect document.
More information on the second flaw can be found in the advisory on
Microsoft's Web site. The software giant recommends that customers use
Office Update to download the fix.
http://news.zdnet.com/2100-1009_22-5366314.html?tag=adnews