Not a pretty picture

A new critical security vulnerability has been discovered by Microsoft which could enable JPEG image files to launch malicious code on a user’s computer.

The security hole could be exploited by hackers or a future internet worm. Microsoft is recommending that customers patch their computers against the security vulnerability immediately.

“JPEG images are commonly used for graphics on websites and digital photographs so this vulnerability is extremely serious,” said Graham Cluley, senior technology consultant for Sophos, the developers of anti-spam and anti-virus software.

According to a report on <link>www.securitytracker.com=http://www.securitytracker.com</link>, a remote user could potentially create a specially crafted JPEG image that, when processed by an affected component, will execute arbitrary code on the target system. The code will run with the privileges of the calling application.

Windows XP, Windows XP Service Pack 1, and Windows Server 2003 are vulnerable by default, but other operating systems may be affected if certain vulnerable components have been installed, such as Microsoft .NET Framework and various 3rd party applications.

Affected applications include Office XP (Outlook, Word, Excel, PowerPoint, FrontPage, Publisher), Office 2003 (Outlook, Word, Excel, PowerPoint, FrontPage, Publisher, InfoPath, OneNote), Microsoft Project, Microsoft Visio, Microsoft Visual Studio .NET (Visual Basic .NET Standard, Visual C# .NET Standard, Visual C++ .NET Standard, Visual J# .NET Standard), Microsoft .NET Framework, Microsoft Picture It!, Microsoft Greetings, Microsoft Digital Image Pro, Microsoft Digital Image Suite, Microsoft Producer for Microsoft Office PowerPoint, Microsoft Platform SDK Redistributable: GDI+, and Internet Explorer 6.

“The message, however, is not to panic but to calmly patch your computers now before a virus writer of hacker tries to exploit the loophole and attack innocent users’ computers,” added Graham Cluley.

A technical bulletin <link>here=http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx</link> describes the latest security problem in detail and includes links to patches supplied by Microsoft.

On the web