Microsoft’s monthly security update was highlighted this week by a JPEG-handling vulnerability that could allow pictures in the format to provide attackers access to targeted machines.
Microsoft also announced an “important” code-execution vulnerability in a WordPerfect 5.x converter, but rated the JPEG weakness — a common buffer-overflow vulnerability — as “critical.” Microsoft is providing a patch for the latest security hole, which is likely to come under attack from computer worms or spyware and relies on the relatively trusted JPEG image format.
However, the vulnerability does not exist in Windows XP systems that have been updated with Microsoft’s security-heavy Service Pack 2 (SP2), which many security experts have feared could fall victim to the onslaught of Windows vulnerabilities.
“You have to give Microsoft credit,” Webroot vice president of threat research Richard Stiennon told TechNewsWorld. “It’s a vulnerability that didn’t show up in SP2, and that’s great.”
Don’t Picture This
What was not so great was the widespread JPEG vulnerability that affected Windows XP and a long list of related software, including Windows Server 2003, Outlook and Office.
Microsoft, which recommended immediate updates, said the newly discovered vulnerability could allow remote-code execution thanks to a buffer-overrun vulnerability in the processing of JPEG image formats.
An attacker who successfully exploited the vulnerability could take advantage of a logged-on user to take complete control of a system, allowing installation of programs, viewing, changing or deleting of data, or even creation of new, privileged accounts, Microsoft said.
Stiennon said that when exploits are developed for the JPEG security hole, they could be crafted to work against Microsoft’s Internet Explorer — which is mentioned as an affected component of the vulnerability — to become a “major vector of malware,” which includes viruses and spyware.
Stiennon, who indicated Microsoft might not have cautioned as forcefully as necessary on Internet Explorer’s role in a possible future attack, said the trusted JPEG format weakness could allow the spread of malware via e-mail.
“Most organizations allow JPEGs,” Stiennon said. “We may have to go back to text-only attachments because of this.”
Monthly Schedule Matures
Sunil James, iDefense director of vulnerability intelligence, said that despite some hiccups early on, Microsoft’s monthly patching schedule that began last October has been easing the pain of patching.
James told TechNewsWorld that Microsoft had been improving the patch software and information that goes with it while at the same time administrators have come to appreciate the dependable schedule — which has included some out-of-cycle updates to address significant security issues.
Stiennon said that despite fears that this month’s security release would include vulnerabilities in the new Service Pack 2 — released widely earlier this month — the latest major update is immune from the JPEG vulnerability.
When asked whether the SP2 protection, combined with the JPEG vulnerability, would cause a greater uptake of the update that has been put off by many companies and consumers, Stiennon said more enterprises might now update with SP2.
However, consumer users are much less likely to do so and many are still using older Windows 95 and Windows 98 systems, Stiennon added.
Stiennon said that despite the availability of the JPEG vulnerability patch, a worm that takes advantage of the issue could spread rapidly and widely because of the high number of systems that will not be updated.
Warning and Waiting
Calling the new JPEG vulnerability “quite a serious issue,” James said attackers are likely to take advantage of the substantial details now available on the vulnerability with exploit codes and worms likely to follow.
“As we’ve seen with other high-profile Microsoft-specific vulnerabilities, would-be attackers quickly latch onto the issue and attempt to deconstruct the vulnerability into the low-level details necessary for exploitation,” James said. “The public availability of proof-of-concept exploit code is an indication that the vulnerability has received such attention.”
James also said the issue should quicken the acceptance of SP2, which he added “will tremendously improve the security posture of the Windows operating system and related Microsoft-based products.”
“As with many Microsoft service packs, widespread adoption takes some time because people are waiting for the kinks to be worked out,” James said. “I think the last month has proven SP2’s mettle, and the release of this vulnerability and proof-of-concept exploit code should quicken the pace with which people install SP2.”