Problem with the Way Microsoft Opens JPEG Files Affects Dozens of Products

A remote attacker could take complete control over computers running many versions of Microsoft software by inserting malicious code in a JPEG image that executes through an unchecked buffer when the image is processed, Microsoft acknowledged on Tuesday.

Microsoft released a patch for the critical security vulnerability involving JPEG during its monthly "Patch Tuesday" event. It was one of two security bulletins posted on Tuesday. Microsoft rated the other problem, affecting Office 2003, "important".

The JPEG flaw arises from a Microsoft component responsible for processing JPEG images. It is a critical problem for Windows XP, Windows XP with Service Pack 1, Windows Server 2003, Internet Explorer 6 with Service Pack 1, Outlook 2002, Outlook 2003, the .NET Framework 1.0 with Service Pack 2 and the .NET Framework 1.1. It qualifies as an important security problem for dozens of other Microsoft products.

The vulnerable component, called the JPEG Parsing component, is part of Windows XP up through SP1 and Windows Server 2003, but was not included in earlier versions of Windows. Several of the other affected Microsoft programs also use the component. Detecting whether the component a system is using to open JPEG files comes from the operating system or one of the other affected applications is tricky. Microsoft released a tool called the GDI+ Detection tool to help customers scan their systems for versions of the component.

Microsoft says the component used in Windows XP Service Pack 2, the security overhaul of Windows XP that was released last month, is not vulnerable to the problem.

According to Microsoft's bulletin about the JPEG problem, the vulnerability was reported by someone outside the company. However, Microsoft maintains it has seen no evidence that the vulnerability was exploited in the wild before the patch came out.

The bulletin for the JPEG component vulnerability is available here. A Knowledge Base article about the GDI+ Detection tool can be found here.

The other security bulletin released on Tuesday involved a problem with the Microsoft WordPerfect 5.x converter. That bulletin is available here.

The security bulletins are Microsoft's 27th and 28th of 2004.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Basic Authentication Extended to 2H 2021 for Exchange Online Users

    Microsoft is now planning to disable Basic Authentication use with its Exchange Online service sometime in the "second half of 2021," according to a Friday announcement.

  • Microsoft Offers Endpoint Configuration Manager Advice for Keeping Remote Clients Patched

    Microsoft this week offered advice for organizations using Microsoft Endpoint Configuration Manager with remote Windows systems that need to get patched, and it also announced Update 2002.

  • Azure Edge Zones Hit Preview

    Azure Edge Zones, a new edge computing technology from Microsoft designed to enable new scenarios for developers and partners, emerged as a preview release this week.

  • Microsoft Shifts 2020 Events To Be Online Only

    Microsoft is shifting its big events this year to be online only, including Ignite 2020.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.