EasyNews, a provider of Usenet newsgroup services, claimed it had already found two images containing code designed to take advantage of the flaw—by downloading remote control software to infected machines. In theory, this would give the creators of the images access to both files on infected machines, as well as giving them the ability to run remote programs on them.
According to a posting on EasyNews Web site, the company "wrote a quick and nasty script to scan every JPEG that comes onto EasyNews.com. It paged my cell phone at 6:47 p.m. PDT on Sept. 26 for the first hit, and 7:52 p.m. PDT for the second hit."
"Once this JPEG overflowed GDI+, it phoned home, connected to an FTP site and downloaded almost 2MB of stuff. It installs a Trojan that installs itself as a service."
The Trojan also installs Radmin, a package that allows users to remotely administer a machine across the Internet, running under the name of r_server.
Although the examples found by EasyNews do not replicate, the discovery of code exploiting the bug in the wild is bound to raise fears that other, more sophisticated programs exploiting the JPEG bug will appear.
The found images exploit a vulnerability in the Microsoft GDI+ Type Library that allows a specially formed JPEG image to compromise the system and execute any arbitrary code, even when simply viewing the image in an HTML e-mail. The problem is particularly acute because anti-virus products do not always scan nonexecutable files, although it is understood that a version of Norton Anti-Virus 2005 patched with virus definitions dated Sept. 15 is capable of spotting a malicious JPEG.
Microsoft has already issued patches for the problem. But as the problem affects many Microsoft products—including Windows XP, Windows Server 2003, Office XP and 2003 and .NET Framework 1.0—there are likely to be many unpatched systems and applications online.
Windows XP Service Pack 2 (SP2) is not affected, although SP2 users may need to acquire patches for applications they use. Windows 98, ME, NT and 2000 are also not affected, but they may run applications that are. Users can check for updates at Microsofts security Web page.