Problem with the Way Microsoft Opens JPEG Files Affects Dozens of Products -- Redmond Channel Partner

Problem with the Way Microsoft Opens JPEG Files Affects Dozens of Products

By Scott Bekker
September 14, 2004

A remote attacker could take complete control over computers running many versions of Microsoft software by inserting malicious code in a JPEG image that executes through an unchecked buffer when the image is processed, Microsoft acknowledged on Tuesday.

Microsoft released a patch for the critical security vulnerability involving JPEG during its monthly "Patch Tuesday" event. It was one of two security bulletins posted on Tuesday. Microsoft rated the other problem, affecting Office 2003, "important".

The JPEG flaw arises from a Microsoft component responsible for processing JPEG images. It is a critical problem for Windows XP, Windows XP with Service Pack 1, Windows Server 2003, Internet Explorer 6 with Service Pack 1, Outlook 2002, Outlook 2003, the .NET Framework 1.0 with Service Pack 2 and the .NET Framework 1.1. It qualifies as an important security problem for dozens of other Microsoft products.

The vulnerable component, called the JPEG Parsing component, is part of Windows XP up through SP1 and Windows Server 2003, but was not included in earlier versions of Windows. Several of the other affected Microsoft programs also use the component. Detecting whether the component a system is using to open JPEG files comes from the operating system or one of the other affected applications is tricky. Microsoft released a tool called the GDI+ Detection tool to help customers scan their systems for versions of the component.

Microsoft says the component used in Windows XP Service Pack 2, the security overhaul of Windows XP that was released last month, is not vulnerable to the problem.

According to Microsoft's bulletin about the JPEG problem, the vulnerability was reported by someone outside the company. However, Microsoft maintains it has seen no evidence that the vulnerability was exploited in the wild before the patch came out.

The bulletin for the JPEG component vulnerability is available here. A Knowledge Base article about the GDI+ Detection tool can be found here.

The other security bulletin released on Tuesday involved a problem with the Microsoft WordPerfect 5.x converter. That bulletin is available here.

The security bulletins are Microsoft's 27th and 28th of 2004.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Free Webcast! Learn about Password Management Best Practices

Featured

The 2024 Microsoft Product Roadmap

Everything Microsoft partners and IT pros need to know about major Microsoft product milestones this year.
Microsoft Makes AI Push in London and Japan with Strategic Investments

Looking to further the global reach of its aggressive AI push, Microsoft made a couple of announcements this week focused on overseas initiatives and investments.
Top SMB Threats Include Ransomware and Windows Server 2012: Report

Managed services providers that support SMBs have their hands full this year: The constellation of threats targeting their customer base is more varied and harder to detect than ever.
2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

RCP Update

Email Address*Country*

Please type the letters/numbers you see above.

Problem with the Way Microsoft Opens JPEG Files Affects Dozens of Products

Featured

The 2024 Microsoft Product Roadmap

Microsoft Makes AI Push in London and Japan with Strategic Investments

Top SMB Threats Include Ransomware and Windows Server 2012: Report

2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

Microsoft Broadens Secure Software Development Initiative

2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

The 2024 Microsoft Product Roadmap

The Most Important Document for Partners To Read Now: CSF 2.0

Microsoft Deepens Partner Program with New Designations, More Perks

Microsoft Broadens Secure Software Development Initiative

2024 Microsoft Conference Calendar: For Partners, IT Pros and Developers

The 2024 Microsoft Product Roadmap

The Most Important Document for Partners To Read Now: CSF 2.0

Microsoft Deepens Partner Program with New Designations, More Perks

Partner Guides

Partner's Guide to the Windows Server 2008 Deadline

Partner's Guide to Office 365 Security Costs

Partner's Guide to UCaaS

Partner's Guide to Starter Workloads in Azure

Partner's Guide to Microsoft's Fiscal Year 2019

FREE WEBCASTS FROM OUR SPONSORS

Coffee Talk: Phishing Awareness Training 101 for Partners

Security Essentials: Empowering MSPs with Datto’s Integrated Solutions

Coffee Talk: Endpoint Security 101: Threats & Strategies SMB Partners Need to Know

Automated Intelligence: Simplifying M365 Governance for MSPs

FREE WHITE PAPERS FROM OUR SPONSORS

A guide to zero trust for MSPs

Microsoft CSP Guide

10 Reasons to Bundle Security with your Managed Services

Battling Business Email Compromise