An attacker may be able to gain control of your computer by taking
advantage of the way some programs process the JPEG image format.
Apply a patch
Microsoft has issued updates to address the problem. Obtain the
appropriate update from Windows Update and from Office Update.Note: You may need to install multiple patches depending what
software you have on your computer.Use caution with email attachments
Never open unexpected email attachments. Before opening an attachment,
save it to a disk and scan it with anti-virus software. Make sure to
turn off the option to automatically download attachments.View email messages in plain text
Email programs like Outlook and Outlook Express interpret HTML code
the same way that Internet Explorer does. Attackers may be able to
take advantage of that by sending malicious HTML-formatted email
messages.Maintain updated anti-virus software
It is important that you use anti-virus software and keep it up to
date. Most anti-virus software vendors frequently release updated
information, tools, or virus databases to help detect and recover from
virus infections. Many anti-virus packages support automatic updates
of virus definitions. US-CERT recommends using these automatic updates
when possible.
Microsoft Windows Graphics Device Interface (GDI+) is used to display information on screens
and printers, including JPEG image files. An attacker could execute arbitrary code on a vulnerable system if the user opens a malicious JPEG file via applications such as a web browser, email program, internet chat program, or
via email attachment. Any application that uses GDI+ to process JPEG image files is vulnerable to this type of attack. This vulnerability also affects products from
companies
other than Microsoft.
- September 2004 Security Update for JPEG Processing (GDI+) – <http://www.microsoft.com/security/bulletins/200409_jpeg.mspx>
- US-CERT Vulnerability Note VU#297462 – <http://www.kb.cert.org/vuls/id/297462>
Author: Mindi McDowell. Feedback
can be directed to US-CERT –>.
Copyright 2004 Carnegie Mellon University.
Terms of use
September 14, 2004: Initial release
Last updated
Systems Affected This vulnerability affects the following Microsoft Windows operating systems by default: Microsoft Windows…
CISA, in partnership with Federal Bureau of Investigation, the National Security Agency, Department of Energy,…
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence…
CISA and the Australian Signals Directorate’s Australian Cyber Security Centre, in collaboration with federal and international…
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of ongoing intrusions by People’s Republic…
This website uses cookies.