Problem with the Way Microsoft Opens JPEG Files Affects Dozens of Products

A remote attacker could take complete control over computers running many versions of Microsoft software by inserting malicious code in a JPEG image that executes through an unchecked buffer when the image is processed, Microsoft acknowledged on Tuesday.

Microsoft released a patch for the critical security vulnerability involving JPEG during its monthly "Patch Tuesday" event. It was one of two security bulletins posted on Tuesday. Microsoft rated the other problem, affecting Office 2003, "important".

The JPEG flaw arises from a Microsoft component responsible for processing JPEG images. It is a critical problem for Windows XP, Windows XP with Service Pack 1, Windows Server 2003, Internet Explorer 6 with Service Pack 1, Outlook 2002, Outlook 2003, the .NET Framework 1.0 with Service Pack 2 and the .NET Framework 1.1. It qualifies as an important security problem for dozens of other Microsoft products.

The vulnerable component, called the JPEG Parsing component, is part of Windows XP up through SP1 and Windows Server 2003, but was not included in earlier versions of Windows. Several of the other affected Microsoft programs also use the component. Detecting whether the component a system is using to open JPEG files comes from the operating system or one of the other affected applications is tricky. Microsoft released a tool called the GDI+ Detection tool to help customers scan their systems for versions of the component.

Microsoft says the component used in Windows XP Service Pack 2, the security overhaul of Windows XP that was released last month, is not vulnerable to the problem.

According to Microsoft's bulletin about the JPEG problem, the vulnerability was reported by someone outside the company. However, Microsoft maintains it has seen no evidence that the vulnerability was exploited in the wild before the patch came out.

The bulletin for the JPEG component vulnerability is available here. A Knowledge Base article about the GDI+ Detection tool can be found here.

The other security bulletin released on Tuesday involved a problem with the Microsoft WordPerfect 5.x converter. That bulletin is available here.

The security bulletins are Microsoft's 27th and 28th of 2004.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus