Affected systems
- Applications that process JPEG images in Microsoft Windows, including
but not limited to - Internet Explorer
- Microsoft Office
- Microsoft Visual Studio
- Imagine it!
- Non-Microsoft applications
Preview
An attacker might be able to take control of your computer by taking
advantage of the way some programs handle the JPEG image format.
Solution
Apply a patch
Microsoft has released updates to resolve the issue. Get it
appropriate update of Windows Update and of Desktop update.Note: You may need to install multiple patches depending on what
software you have on your computer.Be careful with email attachments
Never open unexpected attachments. Before opening an attachment,
save it to a disk and scan it with antivirus software. Make sure to
Disable the option to automatically download attachments.View emails in plain text
Email programs like Outlook and Outlook Express interpret HTML code
in the same way as Internet Explorer. Attackers can
take advantage by sending malicious emails in HTML format
messages.Keep antivirus software up to date
It is important that you use antivirus software and keep it up to date.
date. Most antivirus software vendors release updates frequently
virus information, tools or databases to help detect and recover
viral infections. Many antivirus packages support automatic updates
virus definitions. US-CERT recommends using these automatic updates
when possible.
Description
The Microsoft Windows Graphics Device Interface (GDI+) is used to display information on screens
and printers, including JPEG image files. An attacker could execute arbitrary code on a vulnerable system if the user opened a malicious JPEG file through applications such as a web browser, email program, Internet chat program or
by email as attachment. Any application that uses GDI+ to process JPEG image files is vulnerable to this type of attack. This vulnerability also affects products from
companies
other than Microsoft.
References
Author: Mindi McDowell. Back
can be directed to US-CERT –>.
Copyright 2004 Carnegie Mellon University.
Terms of use
Revision history
Last update
