JPEG Exploit Attempt Sent to Newsgroups

A JPEG image that tries to use a Windows security hole to seize control of an Internet user's computer has been released to Usenet newsgroups, according to a post on the BugTraq mailing list.

Security groups are split on whether the image succeeds in its attempt, but most agree that the incident is a precursor to a more ambitious exploit with improved code. Others maintain that fears of a "JPEG of Death" wreaking havoc on the Internet are overdone, even as reports emerge that the vulnerability in Microsoft's Graphic Device Interface (GDI) is showing up in numerous non-Microsoft applications.

The malicious JPEG was sent to several Usenet newsgroups that post pornographic images. Some security researchers say early tests show the exploit crashes Windows XP machines when it is opened, but stops short of compromising computers. But maintainers of EasyNews, a web-based interface for reading Usenet, say the image installs a trojan. "Once this JPEG overflowed GDI+, it phoned home, connected to an ftp site and downloaded almost 2 megs of stuff," according to a message from EasyNews. "It installs a trojan that installs itself as a service."

Security groups had predicted that working malware exploiting the MS04-028 flaw was inevitable after proof of concept code was published on mailing lists last week. The speed with which the exploit code has been improved is raising concern that a more ambitious exploit is near. "Unfortunately, I have a nasty feeling we'll see a new massmailer worm using JPG image as the attachment," wrote Mikko Hypponen of F-Secure.

The flaw is worrisome because it affects a wide range of Microsoft software, including the Microsoft Office suite and most versions of the Internet Explorer browser, which regularly handles JPEG images housed on web sites. The JPEG standard (short for Joint Photographic Experts Group) is one of the primary graphic formats in use on the Web and office applications.

"We suspect that a working exploit is very close to widespread availability," the Internet Storm Center noted in its analysis. "If your software redistributes Microsoft DLL's that are vulnerable to the MS04-028 flaw, your software may be vulnerable to attack as well. "