RealTime IT News

Exploits Circulating for JPEG Flaw

Just eight days after Microsoft released a fix for a "critical" flaw in the way JPEG files are processed, researchers have discovered proof-of-concept exploit code that is targeting unpatched machines.

The SANS Internet Storm Center (ISC), which tracks malicious Internet activity, said several exploits taking advantage of the JPEG flaw are circulating and warned that it's only a matter of days before a malicious worm is unleashed.

Microsoft issued the MS04-028 patch for the vulnerability on September 14 and, with the threat of a dangerous worm on the horizon, posted a notice with protection instructions for Windows users.

A Microsoft representative told internetnews.com that the company is aware of the circulating exploit code and is investigating the situation. The company reiterated that customers who have deployed MS04-028 are not at risk from this exploit code.

Microsoft's patches can be downloaded here.

According to the ISC, the exploit code is capable of opening a command prompt on vulnerable machines, paving the way for a large-scale attack soon.

"If we are seeing exploits opening command prompts, something worse is on its way," the center warned, noting that anti-virus vendors are already detecting and blocking malformatted JPEG headers.

Even though the circulating code is simply a proof-of-concept exploit, the ISC said it should serve as a warning that there are individuals and groups trying to build a working exploit.

"Working exploit code is probably going to find its way into the public domain within a few days or a week. Then it's up to the whims of somebody or some group to build and launch a malware attack using the newly developed exploits. The crystal ball says to look for a worm or mass-mailer by the end of September."

The center issued a call for Windows users to apply the appropriate patches from Microsoft.

"Companies should test it and also apply as soon as possible .... Remember that patches are not to be applied only when a new malware is exploiting the vulnerability, so don't wait for it as a reason to apply the patches."

For enterprise IT admins, the ISC reiterated that temporary workarounds in lieu of patches aren't sufficient.

"Our recommendation is to not waste time blocking JPEG file attachments as a mitigation step. It creates a false sense of security as well as an enormous inconvenience to users, help desks and system administrators."

The center said Internet Explorer and other applications will classify a file as an image based on the file extension, using header information to identify the actual image type. Because of this, an attacker can take a malicious JPEG and rename it to ".gif" before sending it as an attachment. This means that a company's filtering system may not correctly identify the file as a JPEG since the extension is ".gif" even though the client will try to render the file as a JPEG.

"Therefore, if you were to try and filter malicious images by file extension, you'd have to filter out all known image extensions," the ISC added.

Microsoft users are reminded that separate patches are needed for this vulnerability, one for Microsoft Windows and one for Microsoft Office.