Meant to write something on this awhile back after several folks emailed me about it, but I got distracted and never got around to it. Back on September 14th word came out that there was a major flaw in how several Microsoft products handled images in the popular JPEG format that could allow for a new means of infecting a PC with a virus. This is significant as jpeg images are quite common on webpages as well as being the primary format most digital cameras use so simply viewing a webpage or opening a Word document that contains pictures could be a means of infection without you ever realizing it. On September 24th some sample code showing how to use this flaw hit the net and on September 28th the first trojan exploiting the flaw arrived. Making bad news even worse, security experts point out that virus scanners could easily miss malicious code inside of jpeg files because they aren’t normally configured to scan them.
“Normal antivirus software, by default, will not detect JPEGs,” Hypponen said. “You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things.”
There are about 11 file name extensions to which JPEGs can be changed, including .icon or .jpg2. Hypponen said this would make finding malicious JPEGs even more difficult; searching could take up a significant amount of valuable processor power.
Internet Explorer processes JPEGs before it caches them. That could also mean that desktops may become infected before antivirus software has a chance to work.
“This means that it is not enough to scan at the desktop,” Hypponen said. “You have to scan at the gateway, but this will put a huge load on your bandwidth.”
Microsoft does have a patch available that will check your PC for vulnerable programs and update them accordingly so if you haven’t been by Windows Update recently then now is a good time to swing by there and make sure your system is patched. If you’ve installed Windows XP Service Pack 2 then this flaw is already fixed for the OS, but you may still have other vulnerable Microsoft products on your PC. You can check the September 2004 Security Update for JPEG Processing (GDI+) website for additional details.