Can you imagine the Internet without pictures?
A new flaw in the way Windows, and therefore Internet Explorer, renders JPEG images--one of the most common image formats on the Web--should make you think twice about whether you should display them. At the very least, it should nudge you into considering an alternative Internet browser, such as Firefox
The code to exploit this flaw is now public. Usually, exploit code release is the first step toward a new virus or worm, and as we have seen before, the time from exploit to virus is generally about two to three weeks. In other words, the clock is ticking.
Exploit code release is the first step toward a new virus or worm…In other words, the clock is ticking.
The GDIplus vulnerability, in a nutshell
If you use a Windows operating system older than Windows 2000 or have already updated to Windows XP SP2, you're immune to the flaw. There are many ways to render JPEGs, but the Graphic Device Interface plus DLL, or gdiplus.dll, is enabled only in Windows 2000 and Windows XP. Because gdiplus.dll is vulnerable to a buffer overflow attack, malicious code lurking inside an infected JPEG file could allow new, potentially malicious code to take over the use of your computer (or, at the very least, crash it). Unfortunately, the apps that run in Windows 2000 and XP are also vulnerable.
Microsoft Office is vulnerable Microsoft .Net Framework 1.x
The list of these vulnerable apps is not short and includes:
Picture It Digital Image Pro 7.x and 9.x
Digital Image Suite 9.x
Internet Explorer 6.0
Office 2003 Professional Edition
Office 2003 Small Business Edition,
Office 2003 Standard Edition
Office 2003 Student and Teacher Edition
Outlook 2003 and 2002
Picture It 2002, 7.x, and 9.x
PowerPoint 2002 and PowerPoint 2003
Project 2002 and Project 2003
Visio 2002, Visio 2003
Visual Studio .Net 2002 and 2003
Now, what happens if you patch your system with Windows XP SP2, then load one of the above apps? Believe it or not, the potential exists for that app to overwrite the patched gdiplus.dll with an older, more vulnerable version. You can see what a nightmare this has become already. Thus, Microsoft has posted a free online tool to assess the current vulnerability of your computer.
By refusing to offer separate security enhancements for Internet Explorer, Microsoft is essentially saying that anyone who hasn't yet upgraded to Windows XP won't be protected from future exploits.
What if you don't use Microsoft apps on your Windows computer? Surprisingly, your solution might be even more complicated.
Macromedia products not vulnerable
Some non-Microsoft apps, such as those from Macromedia, also regularly use JPEG files. Turns out, some Macromedia apps do install the vulnerable gdiplus.dll, but they actually use the Microsoft graphics library instead to process JPEGs. That means products such as Macromedia Contribute, Dreamweaver, Fireworks, Flash, Flashpaper, FreeHand, RoboSource Control, and Studio MX are not affected by the GDI flaw. Nonetheless, if you do load any of these apps after you've patched your system, make sure they don't overwrite the patched version of gdiplus.dll. To find out more about software vulnerability to this flaw, see this US-CERT document for more details.
Microsoft: Upgrade to Windows XP or else
In a separate but related development, Microsoft announced that future security enhancements for its Internet Explorer will be available through its Windows XP update service only. By refusing to offer separate security enhancements for Internet Explorer, which is the main vector for any JPEG-related worm or virus, Microsoft is essentially saying that anyone who hasn't yet upgraded to Windows XP won't be protected from future exploits. The average cost to upgrade to Windows XP is about $99; you do the math.
Firefox is a start but not the whole solution
If you've taken my past advice, you've already bailed on Internet Explorer and installed Mozilla Firefox as your default Internet browser. For the most part, you can avoid the JPEG flaw, right? Wrong. Because Microsoft bundles IE deep within Windows, you can't avoid IE by not using it. For example, say you get an HTML e-mail message from someone that includes a JPEG image. If you're using Outlook 2002 or earlier, it calls on IE to render that image. The same is true for Microsoft Word and other Office apps that offer a Web view. Outlook 2003 at least gives you the option of viewing an image or not, but should you choose to view it, Outlook 2003 will still call IE. You can remove Internet Explorer from Windows, but it would take a column twice as long as this to cover all the Registry settings and such you'd need to tweak to do so.
Have you switched to Firefox yet? Why or why not? Talk back to me.