From alerts@us-cert.gov Tue Sep 14 21:57:44 2004
From: US-CERT Alerts <alerts@us-cert.gov>
To: alerts@us-cert.gov
Date: Tue, 14 Sep 2004 19:19:01 -0400
Subject: US-CERT Cyber Security Alert SA04-258A -- Vulnerability in
    Microsoft Image Processing Component 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Cyber Security Alert SA04-258A
            Vulnerability in Microsoft Image Processing Component

   Original release date: September 14, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

  * Applications that process JPEG images on Microsoft Windows,
    including but not limited to

     * Internet Explorer
     * Microsoft Office
     * Microsoft Visual Studio
     * Picture It!
     * Applications from other vendors besides Microsoft

Overview

     An attacker may be able to gain control of your computer by taking
     advantage of the way some programs process the JPEG image format.

Solution

  Apply a patch

     Microsoft has issued updates to address the problem. Obtain the
     appropriate update from Windows Update and from Office Update.

     Note: You may need to install multiple patches depending what
     software you have on your computer.

  Use caution with email attachments

     Never open unexpected email attachments. Before opening an
     attachment, save it to a disk and scan it with anti-virus software.
     Make sure to turn off the option to automatically download
     attachments.

  View email messages in plain text

     Email programs like Outlook and Outlook Express interpret HTML code
     the same way that Internet Explorer does. Attackers may be able to
     take advantage of that by sending malicious HTML-formatted email
     messages.

  Maintain updated anti-virus software

     It is important that you use anti-virus software and keep it up to
     date. Most anti-virus software vendors frequently release updated
     information, tools, or virus databases to help detect and recover
     from virus infections. Many anti-virus packages support automatic
     updates of virus definitions. US-CERT recommends using these
     automatic updates when possible.

Description

     Microsoft Windows Graphics Device Interface (GDI+) is used to
     display information on screens and printers, including JPEG image
     files. An attacker could execute arbitrary code on a vulnerable
     system if the user opens a malicious JPEG file via applications
     such as a web browser, email program, internet chat program, or via
     email attachment. Any application that uses GDI+ to process JPEG
     image files is vulnerable to this type of attack. This
     vulnerability also affects products from companies other than
     Microsoft.

References

     * September 2004 Security Update for JPEG Processing (GDI+) -
       <http://www.microsoft.com/security/bulletins/200409_jpeg.mspx>
     * US-CERT Vulnerability Note VU#297462 -
       <http://www.kb.cert.org/vuls/id/297462>
   _________________________________________________________________
     
   Author: Mindi McDowell. Feedback can be directed to US-CERT, at
   "US-CERT Security Alerts" at <mailto:cert@cert.org>. Please include
   the Subject line "SA04-258A Feedback VU#297462".
   _________________________________________________________________   
     
   Copyright 2004 Carnegie Mellon University.
     
   Terms of use: <http://www.us-cert.gov/legal.html>
     
   This document is available from
     
   <http://www.us-cert.gov/cas/alerts/SA04-258A.html>
     
   Revision History
     
      September 14, 2004: Initial release
     

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFBR3B1XlvNRxAkFWARAtRbAJ9FRO0XqiiEMNjjwGoTBpox2wJqWgCg1YzJ
8JEt8xDHp6Gm5LXjI8y0uOU=
=ehyf
-----END PGP SIGNATURE-----