MS Releases Fix For Graphics Flaw

Microsoft officials have announced two patches as part of its monthly releases for September — one rated critical, one important.

The critical flaw that Microsoft announced today addresses a remote code execution vulnerability when users open a JPEG image on an infected machine. When the PC processes the image, the malware causes a buffer overrun that overwrites program code and replaces it with its own, potentially giving the intruder administrative control of the computer.

Security officials note the only way for the vulnerability to execute is for users to open the image file. This naturally extends to users who visit a site with the doctored image; clicking on the link to such a site automatically downloads and processes the image.

Windows XP, XP Service Pack 1 and Windows Server 2003 are the only operating systems vulnerable to the attack by default, though Windows 98/98 SE/ME/NT 4.0/2000 can host the vulnerability that will subsequently affect specific software programs. A short list of affected software includes: IE 6, Service Pack 1, .NET Framework versions 1.0 and 1.1, Office 2002/2003, Visual Studio .NET 2002/2003, Picture It! and Digital Image Pro, the Microsoft Platform SDK.

A complete list of affected software and update downloads is available here

The patches come days after reported that Microsoft gives premium customers advance notice about its security bulletins before it publicly releases the information.

The second patch addresses a remote code executable vulnerability, which targets Microsoft
Office, FrontPage, Publisher and Works Suite users who convert WordPerfect
5.0 code. Users with administrative privileges who visit a
Web site with the malware can inadvertently hand complete control over to an intruder, but only if the user performs several actions; visiting the site itself won’t compromise a user’s machine. The only way for the vulnerability to be exploited via e-mail is if the user opened the attachment accompanying the e-mail.

The exploit does not work on WordPerfect 6.x documents or Office 2003 users who’ve downloaded and installed Service Pack 1. A complete list of affected programs and the fix can be found here.

As previously reported, the two patches released Tuesday do not address the highly critical “drag-and-drop” flaw that was found in Internet Explorer (IE) last month.

Microsoft will host a free Web cast Wednesday to discuss the technical details of the September security bulletins. More information is available here.

News Around the Web