JPEG Images Now A Vulnerability Risk

In what amounts to incredibly bad news for anyone using the Internet on a Windows machine, Microsoft has announced that the ubiquitous JPEG file format can now be exploited to allow complete access to your system to any hacker who figures out how to take advantage of this vulnerability.

Up until now, JPEG was one of the few common file types that had always been considered "safe" for emailing and viewing on Web pages.

However, as the MS security bulletin says: "Any program that processes JPEG images on the affected systems could be vulnerable to this attack." As this is pretty much every Windows machine, this appears to be one of the greatest risks yet discovered.

While under "Mitigating Factors" Microsoft attempts to downplay this risk by claiming that "The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file" or that "an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability."

Given that millions of emails are sent and viewed daily that either contain JPEG images, have them as attachments or include links to sites that contain them, the risk is appears to be quite huge.

The only good news is that no one has "yet" exploited this vulnerability. The bad news is that because this was just announced, you can be assured that countless hackers are working diligently as I type. Because history has taught us that hackers are more dedicated at exploiting flaws than end-users are at patching their systems, there's serious trouble on the way.

To make matters worse, patching your system to address this issue is not as simple as with most previous vulnerabilities. Instead, it is a multi-part process, and this is quite likely to result in an even lower "patch-rate" than with most other security issues.

For the tech-inclined, the directions follow. However, if you're intimidated by the process, then either call a local computer repair facility, or for faster service (and likely less expensive, too) try "Your Tech Online" which should be able to address and correct this issue in less than 30 minutes. "Your Tech Online" is also currently running a subscription bonus (offering 10 extra minutes) at: http://www.yourtechonline.com/bonus

Whichever route you go, simply inform the tech that you want to update your computer to protect against the "JPEG Vulnerability - CAN-2004-0200."

More importantly, address this issue soon as it will definitely be exploited in the near future. Whether that means tomorrow, the day after or in a month is yet to be seen.

Directions for Updating Your System:

If you want to read all of the specific details for the JPEG vulnerability, then visit: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

Otherwise, to simply get on with the patching, directions can be found at: http://www.microsoft.com/security/bulletins/200409_jpeg_tool.mspx

On this page you will actually be lead you through multiple steps, beginning with using the http://www.windowsupdate.com site to download the "GDI+ Detection Tool (KB873374)" which will then verify your vulnerability and lead you to yet another site.

This second site is specific to Microsoft Office and is located at: http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us

Completing the tasks on this page is a 5 step process for finding and installing updates to Microsoft Office. Doing so will require that you have your Office CD available, otherwise you will not be able to update your system.

At this point, you may find that you cannot always install everything that needs to be updated at once. This was the case in my situation and this requires that you need to keep rescanning, downloading and installing after each patch is applied until the site can find no more patches to apply for updating your system.

While this entire process is a significant inconvenience, involving multiple downloads and repetitive processes, the use of JPEG image files is so universal inside of emails, attached to emails and on Web sites that you simply cannot expect to continue operating without addressing this vulnerability. To do so will almost certainly result in some very unpleasant consequences.

Again, if you are not comfortable with following these processes yourself, hire a local professional or try "Your Tech Online" and their bonus offer at http://www.yourtechonline.com/bonus

--

Copyrighted with all rights reserved by Stephen M. Canale