Graphics Files Pose Threat

Critical updates for a vulnerability in how Windows processes JPEG graphics files were the focus of Microsoft’s Sept. 2004 security posting. The vulnerability could allow an attacker to gain control of a computer under the user’s rights when a maliciously crafted JPEG file is opened; the attack could be especially damaging if the user is logged on with administrative privileges. JPEG-formatted graphics are common on the Web, in e-mail, and in Word documents. This vulnerability is especially difficult to detect and repair, since the file causing the vulnerability can be installed in different places, under different names, by many applications.

Problem with GDI+ Component

The vulnerability is present on any system with certain versions of the Windows Graphics Display Interface Plus (GDI+) component, which is used when processing JPEG images. The vulnerable versions of the GDI+ components are installed by default on Windows Server 2003 and on all versions of Windows XP other than Service Pack (SP) 2. They are also installed by Internet Explorer 6.0 SP1, Office XP and 2003, Visual Studio .NET 2002, and many other Microsoft and third-party applications.