News

Problem with the Way Microsoft Opens JPEG Files Affects Dozens of Products

A remote attacker could take complete control over computers running many versions of Microsoft software by inserting malicious code in a JPEG image that executes through an unchecked buffer when the image is processed, Microsoft acknowledged on Tuesday.

Microsoft released a patch for the critical security vulnerability involving JPEG during its monthly "Patch Tuesday" event. It was one of two security bulletins posted on Tuesday. Microsoft rated the other problem, affecting Office 2003, "important".

The JPEG flaw arises from a Microsoft component responsible for processing JPEG images. It is a critical problem for Windows XP, Windows XP with Service Pack 1, Windows Server 2003, Internet Explorer 6 with Service Pack 1, Outlook 2002, Outlook 2003, the .NET Framework 1.0 with Service Pack 2 and the .NET Framework 1.1. It qualifies as an important security problem for dozens of other Microsoft products.

The vulnerable component, called the JPEG Parsing component, is part of Windows XP up through SP1 and Windows Server 2003, but was not included in earlier versions of Windows. Several of the other affected Microsoft programs also use the component. Detecting whether the component a system is using to open JPEG files comes from the operating system or one of the other affected applications is tricky. Microsoft released a tool called the GDI+ Detection tool to help customers scan their systems for versions of the component.

Microsoft says the component used in Windows XP Service Pack 2, the security overhaul of Windows XP that was released last month, is not vulnerable to the problem.

According to Microsoft's bulletin about the JPEG problem, the vulnerability was reported by someone outside the company. However, Microsoft maintains it has seen no evidence that the vulnerability was exploited in the wild before the patch came out.

The bulletin for the JPEG component vulnerability is available here. A Knowledge Base article about the GDI+ Detection tool can be found here.

The other security bulletin released on Tuesday involved a problem with the Microsoft WordPerfect 5.x converter. That bulletin is available here.

The security bulletins are Microsoft's 27th and 28th of 2004.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Office Mobile Apps To End as Microsoft Highlights New Office App

    Microsoft plans to end support for Windows 10 Mobile applications on Jan. 12, 2021, according to a Friday announcement.

  • Is Microsoft Finally Reinventing Office?

    Microsoft is testing out a new technology called "Fluid Framework." It could mean that Brien's dream of one Office app to rule them all might soon become reality.

  • Azure Active Directory Connect Preview Adds Support for Disconnected AD Forests

    Microsoft on Thursday announced a preview of a new "Cloud Provisioning" feature for the Azure Active Directory Connect service that promises to bring together scattered Active Directory "forests."

  • Microsoft Defender ATP Gets macOS Investigation Support

    The endpoint and detection response (EDR) feature in Microsoft Defender Advanced Threat Protection (ATP) has reached the "general availability" stage for macOS devices.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.