MS04-028: F-Secure's Updated information on GDI+, JPEG vulnerabilities

F-Secure which provides excellent AV products shares a good update on the gdiplus.dll vulnerabilities associated with malformed JPEGs. Their daily weblog is excellent (a must read for me every day) and today's entry is especially informative.

F-Secure: Updated information on GDI+ JPG vulnerabilities
http://www.f-secure.com/weblog/


QUOTE
Renewed notice on the GDI+ JPG vulnerability - (Oct 5th)

We've posted another notice on the JPG vulnerability, trying to get people to patch before it's too late.

http://www.f-secure.com/news/items/news_2004100500.shtml

Couple of notices on this vulnerability:

- Filtering files with .JPG extension won't protect you much. Bad JPGs can be renamed to .BMP or even .ICO and they still work fine

- To update Word, Excel and other Office tools, most users need to visit officeupdate.microsoft.com - but keep your Office installation CD handy!

- In some cases, Internet Explorer will run into the vulnerability before it has saved the offending JPG file to the IE cache folder - which means most workstation antivirus products won't have a chance to scan it before it's too late. Gateway-based antivirus scanners (like F-Secure Internet Gatekeeper) take care of this problem

- However, exploiting Internet Explorer with this vulnerability seems to be particularily hard. Exploiting Windows XP's EXPLORER.EXE while viewing local JPG files is much easier and several toolkits to create JPGs like this exist. This reduces the likelyhood of appereance of a massmailer worm using this vulnerability

- Finally, if you scan JPGs with this exploit embedded in them, F-Secure Anti-virus will detect them

For more, see our description.

http://www.f-secure.com/v-descs/ms04-028.shtml

THE MUL