NOTE: the end of this message an additional list of environments/applications that could be affected by this vulnerability: ---------------------------------------------------------------

From: alerts@us-cert.gov Subject: US-CERT Cyber Security Alert SA04-258A -- Vulnerability in Microsoft Image Processing Component Date: September 14, 2004 6:18:58 PM GMT-05:00 To: alerts@us-cert.gov

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Cyber Security Alert SA04-258A Vulnerability in Microsoft Image Processing Component

Original release date: September 14, 2004 Last revised: -- Source: US-CERT

Systems Affected

* Applications that process JPEG images on Microsoft Windows, including but not limited to

* Internet Explorer * Microsoft Office * Microsoft Visual Studio * Picture It! * Applications from other vendors besides Microsoft

Overview

An attacker may be able to gain control of your computer by taking advantage of the way some programs process the JPEG image format.

Solution

Apply a patch

Microsoft has issued updates to address the problem. Obtain the appropriate update from Windows Update and from Office Update.

Note: You may need to install multiple patches depending what software you have on your computer.

Use caution with email attachments

Never open unexpected email attachments. Before opening an attachment, save it to a disk and scan it with anti-virus software. Make sure to turn off the option to automatically download attachments.

View email messages in plain text

Email programs like Outlook and Outlook Express interpret HTML code the same way that Internet Explorer does. Attackers may be able to take advantage of that by sending malicious HTML-formatted email messages.

Maintain updated anti-virus software

It is important that you use anti-virus software and keep it up to date. Most anti-virus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many anti-virus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

Description

Microsoft Windows Graphics Device Interface (GDI+) is used to display information on screens and printers, including JPEG image files. An attacker could execute arbitrary code on a vulnerable system if the user opens a malicious JPEG file via applications such as a web browser, email program, internet chat program, or via email attachment. Any application that uses GDI+ to process JPEG image files is vulnerable to this type of attack. This vulnerability also affects products from companies other than Microsoft.

References

* September 2004 Security Update for JPEG Processing (GDI+) - http://www.microsoft.com/security/bulletins/200409_jpeg.mspx * US-CERT Vulnerability Note VU#297462 - http://www.kb.cert.org/vuls/id/297462 _________________________________________________________________

Author: Mindi McDowell. Feedback can be directed to US-CERT, at "US-CERT Security Alerts" at mailto:cert@cert.org. Please include the Subject line "SA04-258A Feedback VU#297462". _________________________________________________________________

Copyright 2004 Carnegie Mellon University.

Terms of use: http://www.us-cert.gov/legal.html

This document is available from

http://www.us-cert.gov/cas/alerts/SA04-258A.html

Revision History

September 14, 2004: Initial release

MS04-028 - Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

- Affected Software:

- Windows XP and Windows XP Service Pack 1 - Windows XP 64-Bit Edition Service Pack 1 - Windows XP 64-Bit Edition Version 2003 - Windows Server 2003 - Windows Server 2003 64-Bit Edition

- Office 2003 - Office XP Service Pack 3 - Visio 2003 (All versions) - Visio 2002 Service Pack 2 (All versions) - Project 2003 (All versions) - Project 2002 Service Pack 1 (All versions)

- Review bulletin MS04-O28 for information about these affected operating systems and applications:

- Windows NT Workstation 4.0 Service Pack 6a - Windows NT Server 4.0 Service Pack 6a - Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Windows 2000 Service Pack 2 - Windows 2000 Service Pack 3 - Windows 2000 Service Pack 4

- The Microsoft .NET Framework, version 1.0 - The Microsoft .NET Framework, version 1.1 - Internet Explorer 6 Service Pack 1

- Picture It! 2002 (All versions) - Greetings 2002 - Picture It! version 7.0 (All versions) - Digital Image Pro version 7.0 - Picture It! version 9 (All versions) Including Picture It! Library) - Digital Image Pro version 9 - Digital Image Suite version 9 - Producer for Microsoft Office PowerPoint (All versions)

- Visual Studio 2003 .NET - Visual Basic .NET Standard 2003 - Visual C# .NET Standard 2003 - Visual C++ .NET Standard 2003 - Visual J# .NET Standard 2003 - Visual Studio 2002 .NET - Visual Basic .NET Standard 2002 - Visual C# .NET Standard 2002 - Visual C++ .NET Standard 2002 - The Microsoft .NET Framework, version 1.0 SDK - Platform SDK Redistributable: GDI+

- Review the FAQ section of bulletin MS04-O28 for information about these operating systems:

- Microsoft Windows 98 - Microsoft Windows 98 Second Edition (SE) - Microsoft Windows Millennium Edition (ME)

- Impact: Remote Code Execution - Version Number: 1.0

Important Security Bulletins ============================

MS04-027 - Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)

- Affected Software: - Office 2003 - Office XP Service Pack 3 - Office 2000 Service Pack 3 - Works Suite (All versions)

- Impact: Remote Code Execution - Version Number: 1.0