Computer Question: Major graphics flaw threatens Windows PCs

Michael Michigan · 09-14-2004, 09:09 PM

Okay guys---WTF does this one mean?

I use Mozilla Firefox for my browser and use outlook (not express) for my e-mail. And I also use word.

I do use IE for certain applications.

I have not installed WXP service pack 2.

What do I do?

http://news.zdnet.com/2100-1009_22-5366314.html

Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable.

The critical flaw has to do with how Microsoft's operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim's computer as soon as the file is viewed. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images.

The severity of the flaw had some security experts worried that a virus that exploits the issue may be on the way.

"The potential is very high for an attack," said Craig Schmugar, virus research manager for security software company McAfee. "But that said, we haven't seen any proof-of-concept code yet." Such code illustrates how to abuse flaws and generally appears soon after a software maker publishes a patch for one of its products.

The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of affected applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw.

"The challenge is that (the flawed function) ships with a variety of products," said Stephen Toulouse, security program manager for Microsoft's incident response center.

Because so many applications are affected, Microsoft had to create a separate tool to help customers update their computers. Users of Windows Update will also be directed to the software giant's Office Update tool and then to the tool that will find and update imaging and development applications. The tools are a preview of what may come from the company in the future, Toulouse said.

"We know one of the most important things that we hear from customers is to make the software update process easier," he said. "A goal of a unified update mechanism is what we are looking at."

Out of necessity, Linux distributions have already developed such unified update software, which not only updates the core operating system but also other applications created by the open-source community. The majority of Windows applications, however, are created by companies other than Microsoft, making such a unified update system more politically difficult to create.

The JPEG processing flaw enables a program hidden in an image file to execute on a victim's system. The flaw is unrelated to another image vulnerability found in early August. That vulnerability, in a common code library designed to support the Portable Network Graphics, or PNG, format, affected applications running on Linux, Windows and Apple's Mac OS X. Both the JPEG, which stands for Joint Photographic Experts Group, and PNG formats are commonly used by Web sites.

As part of a notification program that has been in place since April 2004, any customer that had signed a nondisclosure agreement with Microsoft received a three-day advance warning about the JPEG flaw.

"Some customers wanted to get more information, for planning purposes," Toulouse said, responding to media reports that premium customers were getting advanced notice of security issues. He directed interested customers to their Microsoft sales representative to get more information on the program. The information given to participants in the program is limited to the number of flaws, the applications affected and the maximum threat level assigned to the flaws.

The JPEG image-processing vulnerability is the latest flaw from Microsoft and the source of the company's 28th advisory this year. Microsoft frequently includes multiple issues in a single advisory; four advisories in April, for example, contained more than 20 vulnerabilities.

A second patch released by Microsoft on Tuesday fixes a flaw in the WordPerfect file converter in Microsoft Office, Publisher, Word and Works. That flaw is rated "important," Microsoft's second-highest threat level, just below "critical." The vulnerability would let an attacker take control of the victim's PC, if that user opened a malicious WordPerfect document.

More information on the second flaw can be found in the advisory on Microsoft's Web site. The software giant recommends that customers use Office Update to download the fix.

MavKC · 09-15-2004, 05:23 AM

Well I dunno if this will ever be seen, but for what it's worth...

What it means if you are running Windows XP with only Service Pack 1, you will need to hit windows update and have it get the fix for you.

Also if you are running Office XP then you will need to hit the Office XP update page.

If you go ahead and get Windows XP Service Pack 2, then this will fix the flaw. Even with Serivce Pack 2 you will probably still need to hit the Office XP update site to update it.

Here's the link in the article to the Microsoft page that has all the info. It tells you want you need to do.

http://www.microsoft.com/security/bu...0409_jpeg.mspx

Hope that helps...

unlurking · 09-15-2004, 07:09 AM

Means you could embed malicious code "inside" a picture that would be executed when viewed.

2bikemike · 09-15-2004, 07:13 AM

All this technical talk. Just make my damn system safe you greedy bastards.

**morphius** · 09-15-2004, 07:24 AM

Quote:

Originally Posted by 2bikemike

All this technical talk. Just make my damn system safe you greedy bastards.

If you unplug from the internet you should be just fine

Sarcasmo
telling it fairly straight.

KCFalcon59 · 09-15-2004, 07:29 AM

Quote:

Originally Posted by morphius

If you unplug from the internet you should be just fine

Sarcasmo
telling it fairly straight.

Away...away negative thoughts.

KCTitus · 09-15-2004, 07:32 AM

Well this is just awesome...I cannot run SP2 because I have an AMD64 processor.

There better be a separate fix for this w/o having to run SP2.

**morphius** · 09-15-2004, 07:39 AM

Quote:

Originally Posted by KCTitus

Well this is just awesome...I cannot run SP2 because I have an AMD64 processor.

There better be a separate fix for this w/o having to run SP2.

That'll learn ya. Trying to use that new technology before MS is ready for ya.

How is the beta of XP64 working out for you?

**Bob Dole** · 09-15-2004, 07:41 AM

Quote:

Originally Posted by KCTitus

Well this is just awesome...I cannot run SP2 because I have an AMD64 processor.

There better be a separate fix for this w/o having to run SP2.

You should be able to get non SP2 fixes via the Windows and Office Update websites.

KCTitus · 09-15-2004, 07:43 AM

Quote:

Originally Posted by morphius

That'll learn ya. Trying to use that new technology before MS is ready for ya.

How is the beta of XP64 working out for you?

Im not running the beta XP64...Im not suicidal.

unlurking · 09-15-2004, 09:21 AM

Quote:

Originally Posted by KCTitus

Im not running the beta XP64...Im not suicidal.

Should be running a Linux 2.6.x kernel to take advantage of that 64 bit architecture!

Otter · 09-15-2004, 09:31 AM

Quote:

Originally Posted by KCTitus

Im not running the beta XP64...Im not suicidal.

The only good thing to be taken out of this is that the boys at MS are evidently addressing these problems at fundelmental level instead of applying a band aid to the applications.

With that in mind and this dancing bannana may I help brighten your day.

Mr. Laz · 09-15-2004, 11:25 AM

Quote:

Originally Posted by Michael Michigan

What do I do?

run windows update ... download patch

Michael Michigan · 09-15-2004, 11:50 AM

Quote:

Originally Posted by MavKC

Well I dunno if this will ever be seen, but for what it's worth...

What it means if you are running Windows XP with only Service Pack 1, you will need to hit windows update and have it get the fix for you.

Also if you are running Office XP then you will need to hit the Office XP update page.

If you go ahead and get Windows XP Service Pack 2, then this will fix the flaw. Even with Serivce Pack 2 you will probably still need to hit the Office XP update site to update it.

Here's the link in the article to the Microsoft page that has all the info. It tells you want you need to do.

http://www.microsoft.com/security/bu...0409_jpeg.mspx

Hope that helps...

Thanks.

SP 2 it is.

I've been holding off--guess now is as good of time as any.

KCWolfman · 09-15-2004, 11:54 AM

And the flux capacitor is running at terarates instead of gigarates causing an entire malignment of the inverse sextantal fields which everyone knows simply makes the contraflow of electramagrons slow to an exponential rate of the 7th power.

Oh sure, I hear you,
That really isn't bad, is it? After all the fragamorphic shielding should revamp the sextantal fields and boost the contraflow back to the rate of the 11th power where it belongs.

But just wait until you actually flush the toilet and you will see what I mean.

09-14-2004, 09:09 PM
Michael Michigan scribe Join Date: Aug 2000 Casino cash: $10004900	Computer Question: Major graphics flaw threatens Windows PCs Okay guys---WTF does this one mean? I use Mozilla Firefox for my browser and use outlook (not express) for my e-mail. And I also use word. I do use IE for certain applications. I have not installed WXP service pack 2. What do I do? http://news.zdnet.com/2100-1009_22-5366314.html Microsoft published on Tuesday a patch for a major security flaw in its software's handling of the JPEG graphics format and urged customers to use a new tool to locate the many applications that are vulnerable. The critical flaw has to do with how Microsoft's operating systems and other software process the widely used JPEG image format and could let attackers create an image file that would run a malicious program on a victim's computer as soon as the file is viewed. Because the software giant's Internet Explorer browser is vulnerable, Windows users could fall prey to an attack just by visiting a Web site that has affected images. The severity of the flaw had some security experts worried that a virus that exploits the issue may be on the way. "The potential is very high for an attack," said Craig Schmugar, virus research manager for security software company McAfee. "But that said, we haven't seen any proof-of-concept code yet." Such code illustrates how to abuse flaws and generally appears soon after a software maker publishes a patch for one of its products. The flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro. The software giant has a full list of affected applications in the advisory on its Web site. Windows XP Service Pack 2, which is still being distributed to many customers' computers, is not vulnerable to the flaw. "The challenge is that (the flawed function) ships with a variety of products," said Stephen Toulouse, security program manager for Microsoft's incident response center. Because so many applications are affected, Microsoft had to create a separate tool to help customers update their computers. Users of Windows Update will also be directed to the software giant's Office Update tool and then to the tool that will find and update imaging and development applications. The tools are a preview of what may come from the company in the future, Toulouse said. "We know one of the most important things that we hear from customers is to make the software update process easier," he said. "A goal of a unified update mechanism is what we are looking at." Out of necessity, Linux distributions have already developed such unified update software, which not only updates the core operating system but also other applications created by the open-source community. The majority of Windows applications, however, are created by companies other than Microsoft, making such a unified update system more politically difficult to create. The JPEG processing flaw enables a program hidden in an image file to execute on a victim's system. The flaw is unrelated to another image vulnerability found in early August. That vulnerability, in a common code library designed to support the Portable Network Graphics, or PNG, format, affected applications running on Linux, Windows and Apple's Mac OS X. Both the JPEG, which stands for Joint Photographic Experts Group, and PNG formats are commonly used by Web sites. As part of a notification program that has been in place since April 2004, any customer that had signed a nondisclosure agreement with Microsoft received a three-day advance warning about the JPEG flaw. "Some customers wanted to get more information, for planning purposes," Toulouse said, responding to media reports that premium customers were getting advanced notice of security issues. He directed interested customers to their Microsoft sales representative to get more information on the program. The information given to participants in the program is limited to the number of flaws, the applications affected and the maximum threat level assigned to the flaws. The JPEG image-processing vulnerability is the latest flaw from Microsoft and the source of the company's 28th advisory this year. Microsoft frequently includes multiple issues in a single advisory; four advisories in April, for example, contained more than 20 vulnerabilities. A second patch released by Microsoft on Tuesday fixes a flaw in the WordPerfect file converter in Microsoft Office, Publisher, Word and Works. That flaw is rated "important," Microsoft's second-highest threat level, just below "critical." The vulnerability would let an attacker take control of the victim's PC, if that user opened a malicious WordPerfect document. More information on the second flaw can be found in the advisory on Microsoft's Web site. The software giant recommends that customers use Office Update to download the fix.
Posts: 2,762

09-15-2004, 05:23 AM	#2
MavKC Starter Join Date: Sep 2003 Location: Independence, MO Casino cash: $8226717	Well I dunno if this will ever be seen, but for what it's worth... What it means if you are running Windows XP with only Service Pack 1, you will need to hit windows update and have it get the fix for you. Also if you are running Office XP then you will need to hit the Office XP update page. If you go ahead and get Windows XP Service Pack 2, then this will fix the flaw. Even with Serivce Pack 2 you will probably still need to hit the Office XP update site to update it. Here's the link in the article to the Microsoft page that has all the info. It tells you want you need to do. http://www.microsoft.com/security/bu...0409_jpeg.mspx Hope that helps...
Posts: 107

09-15-2004, 07:09 AM	#3
unlurking MVP Join Date: Aug 2003 Casino cash: $7737309	Means you could embed malicious code "inside" a picture that would be executed when viewed.
Posts: 10,620

09-15-2004, 07:13 AM	#4
2bikemike Born to Ride Join Date: Sep 2002 Location: NWA Casino cash: $2285377	All this technical talk. Just make my damn system safe you greedy bastards.
Posts: 16,304

09-15-2004, 07:32 AM	#7
KCTitus Archivist Join Date: Aug 2000 Location: The Ethernet Casino cash: $9892732	Well this is just awesome...I cannot run SP2 because I have an AMD64 processor. There better be a separate fix for this w/o having to run SP2. __________________ Anything you post on this BB can and will be used against you...
Posts: 26,193

09-15-2004, 11:54 AM	#15
KCWolfman Fall down 7 times, get up 8 Join Date: Aug 2000 Casino cash: $10004900	And the flux capacitor is running at terarates instead of gigarates causing an entire malignment of the inverse sextantal fields which everyone knows simply makes the contraflow of electramagrons slow to an exponential rate of the 7th power. Oh sure, I hear you, That really isn't bad, is it? After all the fragamorphic shielding should revamp the sextantal fields and boost the contraflow back to the rate of the 11th power where it belongs. But just wait until you actually flush the toilet and you will see what I mean. __________________ How strangely will the Tools of a Tyrant pervert the plain Meaning of Words! Samuel Adams
Posts: 15,469