Critical updates for a vulnerability in how Windows processes JPEG graphics files were the focus of Microsoft's Sept. 2004 security posting. The vulnerability could allow an attacker to gain control of a computer under the user’s rights when a maliciously crafted JPEG file is opened; the attack could be especially damaging if the user is logged on with administrative privileges. JPEG-formatted graphics are common on the Web, in e-mail, and in Word documents. This vulnerability is especially difficult to detect and repair, since the file causing the vulnerability can be installed in different places, under different names, by many applications.

Problem with GDI+ Component

The vulnerability is present on any system with certain versions of the Windows Graphics Display Interface Plus (GDI+) component, which is used when processing JPEG images. The vulnerable versions of the GDI+ components are installed by default on Windows Server 2003 and on all versions of Windows XP other than Service Pack (SP) 2. They are also installed by Internet Explorer 6.0 SP1, Office XP and 2003, Visual Studio .NET 2002, and many other Microsoft and third-party applications.

As yet, there are no known exploits of this vulnerability, but an attacker needs only to lure a user into opening a seemingly harmless image with a Web browser, Outlook (even in the preview pane), or an application that depends on the vulnerable GDI+ component. Once opened, the vulnerability could allow malicious code embedded in the JPEG file to execute under the security context of the logged-on user.

Hard to Detect, Hard to Fix

This vulnerability is more insidious than most because GDI+ components can be installed from many different sources, not just by installing or upgrading Windows. Furthermore, the components can be embedded in other files, making it impossible to identify their presence by looking for a specific file name and version. Although Windows installs these components in its system directory, applications can install them to their own directory. This means that they must be fixed everywhere they have been installed, or else a system which the user thinks is patched may in fact still be vulnerable. Because the vulnerable GDI+ component is included with Visual Studio .NET 2002, some application developers have redistributed it with their applications, so the vulnerability extends beyond Microsoft software.

These characteristics have exacerbated detection and repair problems because the current version of Windows Update can patch only Windows vulnerabilities and was not designed to search for vulnerabilities in applications, and Office Update cannot find vulnerabilities in other non-Office applications, including all non-Microsoft applications.

Microsoft has made a GDI+ detection tool available for download that, when run under administrative privilege on the suspect computers, scans the entire system for the vulnerable GDI+ components. However, if it discovers any problems, it simply points users to the Windows Update and Office Update sites and does not report what specific problems it found. System Management Server’s (SMS’s) scanning tools can detect vulnerable Windows and Office systems, but still misses GDI+ components installed by other applications.

The only way to positively fix vulnerable systems is to scan the computer for the vulnerable GDI+ components, determine what application installed them by checking the system and application versions against the list provided in Microsoft’s vulnerability bulletins, and then install the corresponding patches for each particular incidence of the vulnerability.

This can create major problems for IT organizations that don’t have centralized inventory and software distribution tools, such as SMS, that can help them determine which patches are needed and get them installed on the proper systems.

Resources

The September 2004 Security Update for JPEG Processing (GDI+) bulletin is available at www.microsoft.com/security/bulletins/200409_jpeg.mspx, and greater technical detail is located at www.microsoft.com/technet/security/bulletin/MS04-028.mspx.

The GDI+ Detection Tool is available at support.microsoft.com/default.aspx?scid=kb;EN-US;873374.

Also posted was a fix for a newly discovered issue in the Microsoft WordPerfect 5.x converter, a component present in various versions of FrontPage, Office, Publisher, and Works. Rated "important," the bulletin and patch can be found at www.microsoft.com/technet/security/bulletin/ms04-027.mspx.