INDUSTRY ANALYSIS
Will JpegOfDeath Help Slay Microsoft?

It's called the JpegOfDeath, but JPEG isn't all it threatens.

"[F]or the people out there who think you can only be affected through viewing or downloading a JPEG attachment... you're dead wrong," says K-OTIC's John Bissell, also know as HighT1mes. "All the attacker has to do is simply change image extension from .jpg to .bmp or .tif or whatever and stupid Windows will still treat the file as a JPEG."

On September 15 Microsoft issued a red alert warning of a "critical" security flaw in its JPEG processing technology that centers on software supporting the JPEG format, including some versions of Microsoft Windows , Microsoft Office and Microsoft developer tools. After that, it was only a question of time.

The Exploit

According to F-Secure , on September 17 a "proof-of-concept exploit which executes code on the victim's computer when opening a JPG file has been posted to a public website." That exploit was crashing only Internet Explorer.

"On September 24th there appeared a constructor that could produce JPEG files with the MS04-028 exploit," F-Secure continued. "This time the exploit executed a code that could download and run a file from Internet. However, the JPEG file with the exploit has to be previewed locally for the exploit to get activated; viewing a JPEG file from a remote host does not activate the exploit.

"We are expecting that more exploit techniques will be created by hacker groups. And there is a chance that someone will create a universal exploit that would work when viewing an image locally and on a remote host."

K-OTIC describes this as a Windows JPEG GDI+ Heap Overflow Remote Exploit (MS04-028) and says it was released on September 23.

According to Bissell, the exploit is "based on [the] FoToZ exploit but kicks the exploit up a notch by making it have reverse connectback as well as bind features that will work with all NT based OS's. WinNT, WinXP, Win2K, Win2003, etc."

No Clicking Required

Nor, it seems, do victims have to click a link to be nailed.

"For instance," says Bissell, "you send them the image... and then they can't see it in Outlook Express, so there like man this image has a cool name so I'll try to open the attachment, then...."

Given the nature of its host, JpegOfDeath.c v0.5 could be one of -- if not the -- worst virus yet.

In the meanwhile, "Savvy Web Surfers Catch New Wave of Browsers," says the headline in a Reuters story on the fact that Microsoft's Internet Explorer has some "some slick new challengers."

But it's nothing to do with "savvy surfers" or a "new wave of browsers" or "slick" or "new." Bill and the Boyz have been treating their customers with contempt for far too long and now they're paying for it.

Bill's Angry Customers

Increasing numbers of deeply brassed off Internet Explorer users who've had a gut-full of non-stop security threats and breaches are looking around.

A patch has been issued for the JPEG hole. But so what? No one believes every single IE user is going to apply it. Far from it, in fact. And this means the door is wide open for all those hackers who live for just such opportunities as this.

So now disenchanted IE users are checking out new horizons and finding the views excellent. As a direct result, IE now has serious competition from the likes of Opera, which is very far from being new, and Mozilla Firefox, which is now bopping along nicely, thank you very much.

It's win-win for everyone. Except Microsoft.

But then, the Gates Green Machine is having the problems it's having because, like the entertainment industry, it made the terminal error of looking the gift horse in the mouth.

Here's a patch to the JPEG hole.