Problem with the Way Microsoft Opens JPEG Files Affects Dozens of Products

A remote attacker could take complete control over computers running many versions of Microsoft software by inserting malicious code in a JPEG image that executes through an unchecked buffer when the image is processed, Microsoft acknowledged on Tuesday.

Microsoft released a patch for the critical security vulnerability involving JPEG during its monthly "Patch Tuesday" event. It was one of two security bulletins posted on Tuesday. Microsoft rated the other problem, affecting Office 2003, "important".

The JPEG flaw arises from a Microsoft component responsible for processing JPEG images. It is a critical problem for Windows XP, Windows XP with Service Pack 1, Windows Server 2003, Internet Explorer 6 with Service Pack 1, Outlook 2002, Outlook 2003, the .NET Framework 1.0 with Service Pack 2 and the .NET Framework 1.1. It qualifies as an important security problem for dozens of other Microsoft products.

The vulnerable component, called the JPEG Parsing component, is part of Windows XP up through SP1 and Windows Server 2003, but was not included in earlier versions of Windows. Several of the other affected Microsoft programs also use the component. Detecting whether the component a system is using to open JPEG files comes from the operating system or one of the other affected applications is tricky. Microsoft released a tool called the GDI+ Detection tool to help customers scan their systems for versions of the component.

Microsoft says the component used in Windows XP Service Pack 2, the security overhaul of Windows XP that was released last month, is not vulnerable to the problem.

According to Microsoft's bulletin about the JPEG problem, the vulnerability was reported by someone outside the company. However, Microsoft maintains it has seen no evidence that the vulnerability was exploited in the wild before the patch came out.

The bulletin for the JPEG component vulnerability is available here. A Knowledge Base article about the GDI+ Detection tool can be found here.

The other security bulletin released on Tuesday involved a problem with the Microsoft WordPerfect 5.x converter. That bulletin is available here.

The security bulletins are Microsoft's 27th and 28th of 2004.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Ending Azure Container Service Support in 2020

    Microsoft gave notice earlier this month that it will be ending its Azure Container Service on Jan. 31, 2020.

  • Microsoft Releases Surface Diagnostic Toolkit for Business

    Microsoft released a new tool, Surface Diagnostic Toolkit for Business, earlier this month, providing a means for IT pros to find and troubleshoot problems on Microsoft Surface devices.

  • How To Enable Guest Access for Office 365

    While it's possible to give outside users access to certain content in your organization's Office 365 environment, the process of setting them up requires a few extra steps.

  • Microsoft Now Supports OpenSSH in Windows Server 2019

    Microsoft announced on Tuesday that the OpenSSH solution used for remote management is now a supported "Features on Demand" addition in both Windows 10 version 1809 and Windows Server 2019.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.