Critical security flaw in JPEG image processing in Microsoft products
Microsoft has announced a buffer overrun in JPEG processing in GDI+ that could allow code execution -- this affects a lot of software including Internet Explorer and Outlook (two apps in which a lot of JPEG images get loaded automatically).
This sounds like serious stuff to me and I fear a rash of exploits will show up in the near future.
http://news.com.com/Major+graphics+flaw+threatens+Windows+PCs/2100-1002_3-5366314.html?tag=html.alert :
Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable.
http://www.microsoft.com/security/bulletins/200409_jpeg.mspx (emphasis mine):
The GDI+ security update for September 2004 addresses newly discovered issues in JPEG processing technology. This issue affects software that supports this image format, including some versions of Microsoft Windows, Microsoft Office, and Microsoft developer tools. If you have any of the listed software installed on your computer, you should install the related update.
Depending on the software you are using, you may need to install multiple updates from multiple locations.
Important Windows XP Service Pack 2 (SP2) is not affected by this issue. Windows XP SP2 users only need to update Office (if installed).
The TechNet bulletin on affected software with links to updates is at http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx.
Affected software:
Windows XP
Windows XP Service Pack 1 (SP1)
Windows Server 2003
Internet Explorer 6 SP1
Office XP SP3
Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
Office 2003
Note Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
Digital Image Pro 7.0
Digital Image Pro 9
Digital Image Suite 9
Greetings 2002
Picture It! 2002 (all versions)
Picture It! 7.0 (all versions)
Picture It! 9 (all versions, including Picture It! Library)
Producer for PowerPoint (all versions)
Project 2002 SP1 (all versions)
Project 2003 (all versions)
Visio 2002 SP2 (all versions)
Visio 2003 (all versions)
Visual Studio .NET 2002
Note Visual Studio .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002.
Visual Studio .NET 2003
Note Visual Studio .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003.
.NET Framework 1.0 SP2
.NET Framework 1.0 SDK SP2
.NET Framework 1.1
Platform SDK Redistributable: GDI+