Windows Security Exploit: Jpeg of Death

Yesterday, I came across a very interesting article posted by p2pnet.net which details a recent exploit in MS Windows, called "jpeg of death.c v.05".

In summary: on September 17th, 2004, a proof-of-concept exploit was discovered that could potentially execute malicious code on the victim's computer when viewing a JPG file image file using Internet Explorer; at the time, however, the exploit only crashed Internet Explorer. On September 24th, a new variant of the exploit appeared, responsible for running potentially malicious code if an infected .jpeg file was downloaded from the Internet and viewed locally (I.E.: browsed offline at a later time). (Source: f-secure.com)

The article, originally posted from p2pnet.net, is as follows:

RE: Jpeg Of Death.c v0.5

You knew it was coming. And now it's here -- the latest evil spurred by the latest Microsoft security hole. It's called the JpegOfDeath.c v0.5, but jpg isn't all it threatens.

"[...] for the people out there who think you can only be affected through viewing or downloading a jpeg [image] attachment... you're dead wrong," says K-OTIC's John Bissell. "All the attacker has to do is simply change image extension from .jpg to .bmp or .tif or whatever and stupid Windows will still treat the file as a JPEG :-p..."

On September 15, Microsoft issued a red alert warning of a 'critical' security flaw in its jpg processing technology that centers on software supporting the JPEG (.jpg) format, including some versions of Microsoft Windows, Microsoft Office, and Microsoft developer tools.

After that, it was only a question of time.

On September 17, "A proof-of-concept exploit which executes code on the victim's computer when opening a JPG file has been posted to a public website,' said F-Secure. 'That exploit was only crashing Internet Explorer."

"On September 24th there appeared a constructor that could produce JPG files with the MS04-028 exploit. This time the exploit executed a code that could download and run a file from Internet. However, the JPG file with the exploit has to be previewed locally for the exploit to get activated, viewing a JPG file from a remote host does not activate the exploit."

"We are expecting that more exploit techniques will be created by hacker groups. And there is a chance that someone will create a universal exploit that would work when viewing an image locally and on a remote host."

... Bissell says it's an exploit, "based on FoToZ exploit but kicks the exploit up a notch by making it have reverse 'connectback' as well as bind features that will work with all NT based OS's. WinNT, WinXP, Win2K, Win2003, etc... "

Nor, it seems, do victims have to click a link to be nailed.

"For instance," says Bissell, "you send them the image with a 1,1 width, height and then they can't see it in Outlook Express, so [the user is like], 'man this image has a cool name, so I'll try to open the attachment,' then ..."

Given the nature of its host, the JpegOfDeath.c v0.5 could be one of - if not THE - worst virus yet. Thanks, Microsoft. Again. " (Source: p2pnet.net)

Affected software includes: Windows XP, Windows XP Service Pack 1 (SP1), Windows Server 2003, Internet Explorer 6 SP1, Office XP SP3 (Note Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002), and many more.

For a full list of affected software and to obtain the patch, visit the Microsoft web site.

http://www.microsoft.com/security/bulletins/200409_jpeg.mspx