Just a week after Microsoft released a patch to plug a security flaw in the way at least 13 of its programs handle the JPEG imaging format, code appeared on the Internet on Wednesday showing how to exploit those holes. Though this exploit code alone is not a threat, it will likely be a jumping-off point for the next round of PC attacks.
“Other people are probably already working on tweaking that code,” said Craig Schmugar, virus research manager at security firm McAfee Inc., based in Santa Clara, Calif. The proof-of-concept code demonstrates the ability to execute commands through the JPEG exploit and, if altered, could allow infected PCs to be controlled by attackers.
“The teeth were taken out of [the sample code],” said Dave Hawkins, technical support engineer at Mahwah, N.J.-based Radware, which specializes in application security and availability. “But its a rather trivial matter to modify that and make it pretty nasty.” Other hackers could tack on existing worm code or a back door for controlling PCs remotely, he said.
“By the weekend, well likely see a remote-access Trojan thats exploiting this code,” Schmugar said. “Its the next logical extension.”
Microsoft Corp. announced a patch (bulletin MS04-028) on Sept. 14 to protect users from the exploit. Because so many applications share the flaw, users likely must complete both a Microsoft Windows update as well as an Office update to cover Microsoft programs. The company is also providing a tool for users to scan their computers in order to determine what third-party software components could be vulnerable.
A Microsoft spokeswoman said customers who have deployed the patch are not at risk from the exploit code, and McAfees Schmugar said it will go a long way toward protecting the most common applications such as Internet Explorer, which are also the most likely to be attacked.
This isnt the first case of security flaws related to imaging software. Earlier this year, a vulnerability was found in how Internet Explorer 5.0 handles the bitmap format, which was never exploited. And according to Hawkins, in 2000 a flaw was found in Netscapes handling of JPEG images, which is similar to the latest iteration. But industry observers say the results could be more serious this time around.
“If you take the pervasiveness of Microsoft, with a vulnerability of something people traditionally trust like a JPEG, its totally ripe to become the next mass-mailing worm,” Hawkins said. He said hes also wary because he thinks the “black hats” are excited to release the next big worm.
“Its significant in the fact that over time, weve seen when similar proof-of-concept code is posted, its usually a short time later that we see a real threat open up,” Schmugar said. He also noted that McAfee updated its security software about a week ago to detect the code released Wednesday, in addition to other malicious JPEG files.
The Microsoft spokeswoman said the company is urging its customers to immediately install the MS04-028 update and download the most current updates from Windows Update. In addition, she said enterprise customers still evaluating and testing the patch should follow the workaround steps detailed in the update.