The Internet security community is preparing for a working virus or worm attack based on the Microsoft JPEG exploit revealed last week. Several samples of working exploit code have been published on security web sites and mailing lists, and antivirus vendors have quickly updated their products to defend against the attacks.
The critical security hole allows a remote attacker to create a JPEG image that, when viewed in Microsoft software programs, could allow the hacker to gain control of the computer. The flaw was revealed by Microsoft Sept. 14, along with a security update that addresses it. Code that partially exploits the flaw was published last week, and has been rapidly developed into code that could be used in a virus or worm.
The latest exploit, published this morning on the Full Disclosure mailing list, claims to be able to create an administrator-level account on Windows machines. Another published exploit reported by AusCERT allows the excution of code on the remote machine.
Security vendors are racing to stay a step ahead of hackers, who are also seeing the published code. "The first PoC (proof-of-concept) released some days ago is already detected by some AV vendors," said the Internet Storm Center, which said software from Symantec, Trend Micro, Kaspersky and McAfee already detects the malformed jpeg headers. The ISC has also released software that will scan systems for the vulnerability, which could be lurking in non-Microsoft programs as well.
The challenge is not only updating software to defend against the JPEG flaw, but getting those updates onto vulnerable machines. Since the security hole affects the Microsoft Office suite and most versions of the Internet Explorer browser, an enormous number of computers will need to receive multiple updates from Microsoft and antivirus vendors.
The JPEG standard (short for Joint Photographic Experts Group) is one of the primary graphic formats used in web sites, along with GIF and PNG.