The vulnerability revolves around a buffer overrun condition that occurs when processing deliberately malformed JPG files. A successful exploit would allow the attacker full control of the system, operating with the full privileges of the user currently logged in.
A similar overflow condition was reported in Netscape and Mozilla browsers in the year 2000, impacting Netscape versions prior to Netscape 4.74 and Mozilla M16. The Netscape/Mozilla exploit only allowed Assembly code to be executed in the context of the web browser and the results were unpredictable.
In May 2004, a Windows 2000 SP 1 source code leak and an integer overflow condition in Internet Explorer v5 and v5.5 paved the way for Trojaned bitmap (BMP) image files. Like the Netscape/Mozilla bug, the BMP exploit involved older and limited versions of software.
The Perrun virus, discovered in 2002, was actually the first known virus to infect JPG files. However, like the two examples above, it was also doomed to failure. In the case of Perrun it was due to certain dependencies on other applications and files that made its 'success' as a virus unlikely.
Conversely, the newly reported JPG handling vulnerability appears to be relatively easy to exploit and it impacts a wide range of software. Though by default, only Windows XP, Window XP Service Pack 1, and Windows Server 2003 contain the vulnerable component, Windows 98, Windows 98 SE, Windows Me, Windows NT 4.0, and Windows 2000 will be affected if the user has installed any of the other impacted software, including versions of Microsoft Office and a wide range of other Microsoft software. Further, the flawed component may be installed by non-Microsoft software that was developed using certain Microsoft products. In this latter instance, it is possible that even a fully patched system may be impacted.
To determine whether there are vulnerable third-party applications involved, search the system for the flawed GDIPlus.dll file. Any instances of it in specific program directory and not in the Windows sytem directory implies it is from a third-party application. In such cases, after patching both the vulnerable Microsoft operating system and any vulnerable Microsoft applications, contact the specific third-party vendor for a patch for their product.
See MS04-028 for details and patch availability.
