Windows PCs threatened by JPEG-handling flaw
Published: 15 Sep 2004 09:00 BST
Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable.
The critical flaw has to do with how Microsoft's operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim's computer as soon as the file is viewed. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images.
The severity of the flaw had some security experts worried that a virus that exploits the issue may be on the way.
"The potential is very high for an attack," said Craig Schmugar, virus research manager for security software company McAfee. "But that said, we haven't seen any proof-of-concept code yet." Such code illustrates how to abuse flaws and generally appears soon after a software maker publishes a patch for one of its products.
The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of affected applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.
"The challenge is that (the flawed function) ships with a variety of products," said Stephen Toulouse, security program manager for Microsoft's incident response center.
Because so many applications are affected, Microsoft had to create a separate tool to help customers update their computers. Users of Windows Update will also be directed to the software giant's Office Update tool and then to the tool that will find and update imaging and development applications. The tools are a preview of what may come from the company in the future, Toulouse said.
"We know one of the most important things that we hear from customers is to make the software update process easier," he said. "A goal of a unified update mechanism is what we are looking at."
Out of necessity, Linux distributions have already developed such unified update software, which not only updates the core operating system but also other applications created by the open-source community. The majority of Windows applications, however, are created by companies other than Microsoft, making such a unified update system more politically difficult to create.
Previous
Did you find this article useful?
128 out of 328 people found this useful
- Share this article:
