F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : JPG Vulnerability Exploit

[Summary] | [Detailed Description] | [Detection]



NAME:JPG Vulnerability Exploit
ALIAS:MS04-028 exploit, COM length exploit, JPEG Processing (GDI+)

Summary

Update on October 12th, 2004:

Microsoft has released today several critical updates for Windows, Exchange and Office. There is also update for the patch of the JPG vulnearbility (MS04-028). Further information and complete list of the updates is available at Microsoft's TechNet Security site:

http://www.microsoft.com/technet/security/bulletin/ms04-oct.mspx

F-Secure recommends users to upgrade their systems using Windows Update.

Update on September 24th, 2004: As we reported earlier in our Weblog for September 2004:

http://www.f-secure.com/weblog/archives/archive-092004.shtml

a vulnerability, which allows code execution, has been found in Microsoft's GDI+ JPEG decoder. Microsoft has posted detailed information on the vulnerability and affected systems in the MS04-028 bulletin:

http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

Detailed Description

A proof-of-concept exploit which executes code on the victim's computer when opening a JPG file has been posted to a public website on September 17th, 2004. That exploit was only crashing Internet Explorer.

On September 24th there appeared a constructor that could produce JPG files with the MS04-028 exploit. This time the exploit executed a code that could download and run a file from Internet. However, the JPG file with the exploit has to be previewed locally for the exploit to get activated, viewing a JPG file from a remote host does not activate the exploit.

We are expecting that more exploit techniques will be created by hacker groups. And there is a chance that someone will create a universal exploit that would work when viewing an image locally and on a remote host.

It is advised to install security updates released by Microsoft to be protected from the JPEG vulnerability exploit. These updates can be downloaded from here:

http://www.microsoft.com/security/bulletins/200409_jpeg.mspx

To test whether your computer is vulnerable to MS04-028 exploit please use the following utility provided by Microsoft:

http://www.microsoft.com/downloads/details.aspx?familyid=71CD9E74-7142-4780-8...

To be protected from the exploit entering your system, it is recommeded to obtain the application that scans incoming traffic, for example F-Secure Internet Gatekeeper software and configure it to scan all incoming image files (see the list of extensions below).

http://www.europe.f-secure.com/download-purchase/list.shtml

Back to the Top


Detection

F-Secure Anti-Virus detects the MS04-028 exploit since the 20th of September. Detection is available since the 2004-09-20_01 update as 'Exploit.Win32.MS04-028.gen'.

IMPORTANT: F-Secure Anti-Virus does not scan JPG and other image files with the default settings. In order to scan a computer for files with JPG vulnerability exploit, it is necessary to either scan all files on a hard disk or to add the following image extensions to the list of scanned extensions: 

 BMP
 DIB
 EMF
 GIF
 ICO
 JFIF
 JPE
 JPEG
 JPG
 PCX
 PNG
 RLE
 TGA
 TIF
 TIFF
 WMF

NOTE: Adding the above listed extensions to FSAV's list of scanned extension might reduce the scanner's perfomance as there will many more files to scan on a hard disk.

Back to the Top


Writeup: Gergely Erdelyi and Alexey Podrezov; September 23rd, 2004;

Description Updated:

Alexey Podrezov; September 24th, 2004;

Katrin Tocheva; October 12th, 2004;

F-Secure Corporation