Exploit for Microsoft JPEG Flaw Is Published

Code that claims to partially exploit a weakness in Microsoft software's handling of image files has been published on the Internet. The critical security hole allows a remote attacker to create a JPEG image that, when viewed in Microsoft software programs, could allow the hacker to gain control of the computer.

The flaw is worrisome because it affects a wide range of Microsoft software, including the Microsoft Office suite and most versions of the Internet Explorer browser, which regularly handles JPEG images housed on web sites. The JPEG standard (short for Joint Photographic Experts Group) is one of the primary graphic formats used in web sites, along with GIF and PNG.

The exploit was posted Thursday to the BugTraq and Full Disclosure mailing lists, which are read by both hackers and security professionals. The exploit doesn't execute code, but will crash unpatched Windows XP computers, which can be a precursor step to remote execution code.

A download counter at GulfTech Research, the site publishing the exploit the site suggests that the code had been downloaded more than 32,000 times as of midday Saturday GMT.

The flaw was revealed by Microsoft Tuesday, along with a security update that addresses it. The announcement triggered alarm among the tech media and some security groups, while others counseled that the fear about the flaw was becoming somewhat overblown.

But the Internet Storm Center warns that the release of proof-of-concept (POC) code suggests a more dangerous exploit is probably in the works. "We have seen this same pattern in the past - a significant vulnerability is announced, followed in a few days by POC code that usually causes a system crash or denial of service condition, followed by a hunt to get a reliable and simple buffer overflow to work using universal stack pointer offsets," the ISC noted. "Once an attack mechanism is perfected, then it's just a matter of hours or days before worm code is launched."

That creates a dilemma for IT staffs, since the extent of the flaw requires the patching of dektop machines running Microsoft software, any of which might be vulnerable to a JPEG exploit while browsing the Web in Internet Explorer or reading an HTML e-mail in Outlook.