Exploits Circulating for JPEG Flaw

Just eight days after Microsoft released a fix
for a “critical” flaw in the way JPEG files are processed, researchers
have discovered proof-of-concept exploit code that
is targeting unpatched machines.

The SANS Internet Storm Center
(ISC), which tracks malicious Internet activity, said several exploits
taking advantage of the JPEG flaw are circulating and warned that it’s
only a matter of days before a malicious worm is unleashed.

Microsoft issued the MS04-028 patch for the vulnerability on September 14 and, with the threat of
a dangerous worm on the horizon, posted a notice
with protection instructions for Windows users.

A Microsoft representative told internetnews.com that the company is aware of the circulating exploit code and is investigating the situation. The company reiterated that customers who have deployed MS04-028 are not at risk from this exploit code.

Microsoft’s patches can be downloaded here.

According to the ISC, the exploit code is capable of opening a
command prompt on vulnerable machines, paving the way for a large-scale
attack soon.

“If we are seeing exploits opening command prompts,
something worse is on its way,” the center warned, noting that
anti-virus vendors are already detecting and blocking malformatted JPEG
headers.

Even though the circulating code is simply a proof-of-concept
exploit, the ISC said it should serve as a warning that there are
individuals and groups trying to build a working exploit.

“Working exploit code is probably going to find its way into the
public domain within a few days or a week. Then it’s up to the whims of
somebody or some group to build and launch a malware attack using the
newly developed exploits. The crystal ball says to look for a worm or
mass-mailer by the end of September.”

The center issued a call for Windows users to apply the appropriate
patches from Microsoft.

“Companies should test it and also apply as
soon as possible …. Remember that patches are not to be applied only
when a new malware is exploiting the vulnerability, so don’t wait for it
as a reason to apply the patches.”

For enterprise IT admins, the ISC reiterated that temporary
workarounds in lieu of patches aren’t sufficient.

“Our recommendation is to not waste time blocking JPEG file
attachments as a mitigation step. It creates a false sense of security
as well as an enormous inconvenience to users, help desks and system
administrators.”

The center said Internet Explorer and other applications will
classify a file as an image based on the file extension, using header
information to identify the actual image type. Because of this, an
attacker can take a malicious JPEG and rename it to “.gif” before
sending it as an attachment. This means that a company’s filtering
system may not correctly identify the file as a JPEG since the extension
is “.gif” even though the client will try to render the file as a JPEG.

“Therefore, if you were to try and filter malicious images by file
extension, you’d have to filter out all known image extensions,” the ISC
added.

Microsoft users are reminded that separate patches are needed for
this vulnerability, one for Microsoft Windows and one for Microsoft
Office.

Ryan Naraine
Ryan Naraine
Ryan Naraine is an eSecurity Planet, ServerWatch, and eWEEK contributor.

Top Products

Related articles