US-CERT Cyber Security Alert SA04-258A
Overview: A buffer overflow vulnerability in the Microsoft Windows GDI+ JPEG parsing component could allow a remote attacker to execute arbitrary code on a vulnerable system.
This affects all windows operating systems XP and above, including some backpatched older OS'. Affected products include Microsoft Office, Visio, Project, Word, Excell, Internet Explorer, and a plethora of third party applications who use the GDI+ graphic interface. (and who doesn't?)
Microsoft has apparently issued a security bulletin with this patch: MS04-028.
Thanks to Barney for the head's up.
A few years back there was a Zlib vulnerability which led to a similar problem with the PNG file format, but that is because the format was very young at the time.. and far from braod acceptance. JPG is the mainstay of the web and the format dates back to 1990.. AND the format is NOT at fault in this vulnerability. It is microsoft's very skillfully crafted displaying apparatus.
This is the online analogue of getting E-coli from rubbing alcohol. There is now actually no file format (except perhaps for a short time TXT) that can be safely opened on an unpatched Microsoft Windows machine. May this travesty of a corporation BURN IN HELL.
Thank you.
Posted by jesse at September 14, 2004 05:53 PM