September 14th, 2004
Non-SP2 Windows users open to JPG poison pill
Microsoft has issued a patch that eliminates a vulnerability found in just about any Microsoft software that’s capable of viewing JPG images (one of the most commonly used image formats for Web pages). Systems that have so far been patched with Service Pack 2 are not open to an exploit that takes advantage of the vulnerability. News.com Robert Lemos reports that "the flaw affects various versions of at least a dozen Microsoft software applications and operating systems, including Windows XP, Windows Server 2003, Office XP, Office 2003, Internet Explorer 6 Service Pack 1, Project, Visio, Picture It and Digital Image Pro." Since Internet Explorer is one of the vulnerable applications, users of unpatched Windows systems can be infected simply by visiting a Web page that loads "infected" images. So far, no such images are known to exist. But experts are warning that now that Microsoft has published news of the vulnerability and issued a patch (patches can be reverse engineered to gain an understanding of the vulnerabilities they fix), it may only be a matter of time before they do. The fact that SP2-patched systems are invulnerable to this JPG exploit could raise questions about Microsoft’s decision not to make the security-focused service pack like SP2 available for older versions of Windows. Roughly two-thirds of all Windows users are still running a version of Windows that can’t be patched with SP2.
