Critical vulnerability in MS Windows may escalate the virus threat Helsinki, Finland - October 5, 2004 A critical security vulnerability related to processing of picture files in the JPG-format has been reported recently. The vulnerability is present in Windows XP (without service pack 2) and Windows Server 2003 operating systems as well as several other products from Microsoft. This vulnerability does not pose an immediate threat to users at the moment. But viruses that use this vulnerability are likely to appear in the future. F-Secure want to draw your attention to this, as a successful JPG-virus would be unique and break many common believes about how viruses replicate. Image files, including the JPG-format commonly used for storing for example digital photos, are usually considered safe. There are many e-mail viruses that fool users to execute program files by masquerading them as picture files. But these viruses are always stored as an executable file and antivirus scanners will still scan the file and detect the virus. Even if the file looks like a picture to the end user. Viruses based on the newly discovered vulnerability would however be stored as real JPG-files. This means that many antivirus scanners, including some products from F-Secure, would consider these files as safe and pass them through without scanning. Users of antivirus products need to review the scanning settings and ensure that picture files are scanned properly, if a JPG-virus becomes widespread. F-Secure recommends everyone to take these actions: This vulnerability emphasizes the importance of the security updates from Microsoft. All computer users should check Microsoft’s security center at http://www.microsoft.com/security/ to find out if their systems is affected. This site also gives instructions about how to download patches manually or enable automatic patching. F-Secure recommends users to install security patches from Microsoft, as that is an effective and free way to improve security. It should also be noted that there are possible scenarios where a JPG-file may bypass traditional antivirus products that operate on the file level. Patching the security hole provides protection in these scenarios as well. The antivirus settings should be checked to ensure that files that contain threats based on the new vulnerability are scanned properly. Administrators can do the necessary changes right away or at least prepare to change the settings quickly if a JPG-virus becomes widespread. The mail-scanning modules in F-Secure Internet Gatekeeper and F-Secure Anti-Virus for Firewalls are by default configured to scan all files. Other antivirus products are by default configured to scan a defined set of file-types. Several extensions used for image files should be added to this list. See our description of the vulnerability at http://www.f-secure.com/v-descs/ms04-028.shtml for more details and a list of the extensions that need to be added. The product documentation describes how to change the list of scanned file types. More information: Microsoft’s security bulletin http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx . Microsoft’s security center http://www.microsoft.com/security/ Microsoft’s update service http://www.windowsupdate.com/ Microsoft’s update service for MS Office products: http://officeupdate.microsoft.com F-Secure’s vulnerability description http://www.f-secure.com/v-descs/ms04-028.shtml Support article about F-Secure Internet Gatekeeper’s settings http://support.f-secure.com/enu/corporate/supportissue/av-igk/faq.shtml#2004100500 Support article about F-Secure Anti-Virus for MS Exchange’s settings http://support.f-secure.com/enu/corporate/supportissue/av-mse/faq.shtml#2004100500 Support article about F-Secure Anti-Virus for Firewall’s settings http://support.f-secure.com/enu/corporate/supportissue/av-fw/faq.shtml#2004100500