Is it true that I can now get a virus by looking at a picture on the Internet?
This question was answered on October 6, 2004. Much of the information contained herein may have changed since posting.
As if all of the existing Internet vulnerabilities, scams, spam, spyware, adware, Trojans and general bedlam that we all have to deal with was not enough, along comes one of the most potentially pervasive vulnerabilities to be discovered in some time.
In mid-September of 2004, a vulnerability was discovered that would allow a malicious user to create an image file (using the JPEG or JPG file format) that could run a menacing program in the background, as soon as the image was viewed
While at the time, there was a potential for this to occur, there was no evidence that it had been exploited.
Since then, a rogue website posted sample code demonstrating how to take advantage of the vulnerability and the rest is history! Several instances of these ‘infected images’ have since been discovered on a handful of websites and newsgroups and a more recent attempt to use AOL’s Instant Messaging program to lure folks into viewing these images was uncovered.
Because of the universal use of the JPG format, the concern about where this one could lead is warranted JPGs are the format of choice for digital cameras, scanners, Internet sites and virtually any program that handles digitized photographic images.
Anti-virus programs are not set to scan JPG files (or any of the other compatible image formats) so by default, they presently have no defense against the exploit.
As usual, this latest round of warnings is a bad news and good news story…
The bad news is that it could impact our interaction with many things; e-mail attachments, pictures posted on websites, newsgroup postings, Instant Messaging and more.
The good news is that it’s easy to patch any Windows-based system against this vulnerability, so that if you do come in contact with an infected image, it will have no affect on your system.
There are two major product groups from Microsoft that are vulnerable; Windows XP and the productivity suite known as Office (Users of Microsoft’s Developer Tools for programming may also have some exposure).
Those that have installed Service Pack 2 (SP2) for Windows XP have plugged the hole in Windows, but if you are running Office XP, Office 2003 or any of the individual programs within the Office Suites (Word, Excel, Outlook, PowerPoint, etc.) you will need to install the patches for those programs as well.
There is limited exposure to this problem for the time being, but knowing all of the malicious morons in Internet-land, it won’t be long before they start churning out various methods to attack users, so I suggest everyone play it safe and get patched.
To check to see which patches your version of Windows needs, go to: windowsupdate.microsoft.com.
To check to see if you need any patches for your Office programs, go to:
office.microsoft.com and look for the ‘Check for Updates’ link in the top right corner.
About the author
Posted by Ken Colburn of Data Doctors on October 6, 2004