HomeSecurity

MS Releases Fix For Graphics Flaw

Jim Wagner
By Jim Wagner

Microsoft officials have announced two patches as part of its monthly releases for September — one rated critical, one important.

The critical flaw that Microsoft announced today addresses a remote code execution vulnerability when users open a JPEG image on an infected machine. When the PC processes the image, the malware causes a buffer overrun that overwrites program code and replaces it with its own, potentially giving the intruder administrative control of the computer.

Security officials note the only way for the vulnerability to execute is for users to open the image file. This naturally extends to users who visit a site with the doctored image; clicking on the link to such a site automatically downloads and processes the image.

Windows XP, XP Service Pack 1 and Windows Server 2003 are the only operating systems vulnerable to the attack by default, though Windows 98/98 SE/ME/NT 4.0/2000 can host the vulnerability that will subsequently affect specific software programs. A short list of affected software includes: IE 6, Service Pack 1, .NET Framework versions 1.0 and 1.1, Office 2002/2003, Visual Studio .NET 2002/2003, Picture It! and Digital Image Pro, the Microsoft Platform SDK.

A complete list of affected software and update downloads is available here
.

The patches come days after internetnews.com reported that Microsoft gives premium customers advance notice about its security bulletins before it publicly releases the information.

The second patch addresses a remote code executable vulnerability, which targets Microsoft
Office, FrontPage, Publisher and Works Suite users who convert WordPerfect
5.0 code. Users with administrative privileges who visit a
Web site with the malware can inadvertently hand complete control over to an intruder, but only if the user performs several actions; visiting the site itself won’t compromise a user’s machine. The only way for the vulnerability to be exploited via e-mail is if the user opened the attachment accompanying the e-mail.

The exploit does not work on WordPerfect 6.x documents or Office 2003 users who’ve downloaded and installed Service Pack 1. A complete list of affected programs and the fix can be found here.

As previously reported, the two patches released Tuesday do not address the highly critical “drag-and-drop” flaw that was found in Internet Explorer (IE) last month.

Microsoft will host a free Web cast Wednesday to discuss the technical details of the September security bulletins. More information is available here.

Jim Wagner
Jim Wagner
Previous article
How Much Hollywood For Comcast?
Next article
Domain Name Registry Spots Country Trend

Similar Posts

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

Advertisers

Advertise with TechnologyAdvice on InternetNews and our other IT-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2021 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.