Microsoft Graphics Bug Threatens Systems

UPDATED: Experts worry that this new JPEG bug can be exploited through an HTML e-mail, allowing the attacker to run any code allowed under the user's permissions. "Very serious," says one, pointing to the chance of copy-cat attacks.

Microsoft Corp. on Tuesday offered patches for two serious vulnerabilities in its products. One of the security breaches—taking advantage of the action from a tweaked image file—compromises a wide range of Microsoft products, including server and client operating systems as well as applications such as e-mail. However, this "Patch Tuesday," following the August release of Windows XP SP2 (Service Pack 2), appeared to sidestep concerns over whether Microsoft will provide different patches for XP SP1 and XP SP2 installations. The patches released on Tuesday addressed issues with SP1 and other Microsoft applications. The more serious of the two vulnerabilities allows a specially malformed JPEG graphic file—when viewed in any of a large number of Microsoft products—to compromise the system, allowing execution of any attack code. The second also allows remote code execution through a bug in the Word Perfect file converter. Microsoft said both bugs were reported privately to the company and had not been revealed until the release of the patch. The JPEG bug, an error in the GDI+ Type Library, has the potential for widespread damage, as it can be delivered through an HTML e-mail. Once an exploit of the problem runs on a system, it can run any code allowed under the user's permissions. The advisory for the JPEG bug lists Windows XP; Windows Server 2003; Office XP and 2003; numerous versions of Microsoft Project; Visio and Visual Studio.NET; and many other consumer and professional products affected by the issue, including: The Microsoft .NET Framework version 1.0 Microsoft Picture It 2002 (all versions) Microsoft Greetings 2002 Microsoft Picture It! version 7.0 (all versions) Microsoft Digital Image Pro version 7.0 Microsoft Picture It! version 9 (all versions, including Picture It! library) Microsoft Digital Image Pro version 9 Microsoft Digital Image Suite version 9 Microsoft Producer for Microsoft Office PowerPoint (all versions) Microsoft Platform SDK Redistributable Windows XP SP2 (Service Pack 2) is not affected, but many SP2 users will need to acquire patches for vulnerable applications they use. By default, Windows 98, ME, NT and 2000 are not vulnerable, but any of the vulnerable applications would be vulnerable when running on them. Security experts considered the new graphics vulnerability a real threat. Russ Cooper, senior scientist at TruSecure Corp., of Herndon, Va., and editor of the NTBugtraq security mailing list, said he was distressed at the potential for this vulnerability to spread through HTML e-mail. He compared it with the so-called Good Times Virus, a hoax perpetrated a decade ago about a virus users could get simply by reading an e-mail. However, in the case of the JPEG bug, the vulnerability is all too real. Cooper also wondered "why XP SP2 contained a revised GDIPLUS.dll [the vulnerable graphics component], which wasn't vulnerable, yet earlier versions waited a month to get theirs." Microsoft was unavailable for comment. Craig Schmugar, virus research manager at McAfee Avert, called the problem "potentially very serious" due to its ability to run arbitrary code. He noted that McAfee Inc. has seen no proof-of-concept code for either vulnerability announced Tuesday. But he added, "Often, the release of the patch itself leads to exploits, as attackers reverse-engineer the patch code in order to learn what it's fixing. Hopefully, it won't come to that." Due to performance considerations, anti-virus products typically don't scan nonexecutable files such as JPEGs, so Schmugar said an IDS (intrusion-detection system) or IPS (intrusion-prevention system) such as McAfee Intercept—which look for behavior such as buffer overflows in a generic manner—offer a better solution. This Windows JPEG flaw is the latest in a string of vulnerabilities relating to graphics formats and image-handling libraries in multiple operating systems and browser platforms. In August, a security researcher uncovered multiple vulnerabilities in libpng, the PNG (Portable Networks Graphic) library. The flaw required an update to a number of open-source projects, including browsers and image-rendering engines such as Ghostscript. Microsoft in late July also released an out-of-order security bulletin to cover two vulnerabilities relating to Internet Explorer's handling of BMP and GIF image files. The flaw could be used for a denial-of-service attack as well as to execute arbitrary code, the Redmond, Wash. Software maker said at the time. According to Microsoft's advisory on Tuesday, the bug in the Word Perfect converter version 5.x, also a buffer overflow, requires the attacker to construct a special file and persuade the user to run the Word Perfect converter on the file. Once the user does this, attack code within the file could perform any action permitted to the user. If the user were logged on as an administrator, for example, the attack would have full system privileges. Because the user would need to be persuaded to read the file into the program, Microsoft called the problem "important" rather than critical. The Word Perfect converter is a component of Microsoft Office 2000; Office XP (2002); Office 2003; and Works Suites 2001, 2002, 2003 and 2004. Links to the appropriate patches for this bug may be found on the advisory page.