Can you imagine the Internet without pictures? A new flaw in the way Windows, and therefore Internet Explorer, renders JPEG images -- one of the most common image formats on the Web--should make you think twice about whether you should display them. At the very least, it should nudge you into considering an alternative Internet browser, such as Firefox.
The code to exploit this flaw is now public. Usually, exploit code release is the first step toward a new virus or worm, and as we have seen before, the time from exploit to virus is generally about two to three weeks. In other words, the clock is ticking.
The GDIplus vulnerability
If you use a Windows operating system older than Windows 2000 or have already updated to Windows XP SP2, you're immune to the flaw. There are many ways to render JPEGs, but the Graphic Device Interface plus DLL, or gdiplus.dll, is enabled only in Windows 2000 and Windows XP. Because gdiplus.dll is vulnerable to a buffer overflow attack, malicious code lurking inside an infected JPEG file could allow new, potentially malicious code to take over the use of your computer (or, at the very least, crash it). Unfortunately, the applications that run in Windows 2000 and XP are also vulnerable.
Microsoft Office is vulnerable
The list of these vulnerable programs is not short and includes:
- Microsoft .Net Framework 1.x
- Picture It Digital Image Pro 7.x and 9.x
- Digital Image Suite 9.x
- FrontPage 2002
- Greetings 2002
- Internet Explorer 6.0
- Office 2003 Professional Edition
- Office 2003 Small Business Edition
- Office 2003 Standard Edition
- Office 2003 Student and Teacher Edition
- Office XP
- Outlook 2003 and 2002
- Picture It 2002, 7.x, and 9.x
- PowerPoint 2002 and PowerPoint 2003
- Project 2002 and Project 2003
- Publisher 2002
- Visio 2002, Visio 2003
- Visual Studio .Net 2002 and 2003
- Word 2002
Now, what happens if you patch your system with Windows XP SP2, and then load one of the above applications? Believe it or not, the potential exists for that program to overwrite the patched gdiplus.dll with an older, more vulnerable version. You can see what a nightmare this has become already. Thus, Microsoft has posted a free online tool to assess the current vulnerability of your computer.
What if you don't use Microsoft applications on your Windows computer? Surprisingly, your solution might be even more complicated.
Macromedia products not vulnerable
Some non-Microsoft programs, such as those from Macromedia, also regularly use JPEG files. It turns out that some Macromedia applications do install the vulnerable gdiplus.dll, but they actually use the Microsoft graphics library instead to process JPEGs. As a result, products such as Macromedia Contribute, Dreamweaver, Fireworks, Flash, Flashpaper, FreeHand, RoboSource Control and Studio MX are not affected by the GDI flaw. Nonetheless, if you do load any of these programs after you've patched your system, make sure they don't overwrite the patched version of gdiplus.dll. To find out more about software vulnerability to this flaw, see this US-CERT document for more details.
Upgrade to Windows XP or else, says Microsoft
In a separate but related development, Microsoft announced that future security enhancements for its Internet Explorer will be available through its Windows XP update service only. By refusing to offer separate security enhancements for Internet Explorer, which is the main vector for any JPEG-related worm or virus, Microsoft is essentially saying that anyone who hasn't yet upgraded to Windows XP won't be protected from future exploits. Amazon charges £75 for upgrading to Windows XP Home and £144 to upgrade to the Professional Edition.
Firefox is a start but not the whole solution
If you've taken my past advice, you've already bailed out from Internet Explorer and installed Mozilla's Firefox as your default Internet browser. For the most part, you can avoid the JPEG flaw, right? Wrong. Because Microsoft bundles IE deep within Windows, you can't avoid IE by not using it. For example, say you get an HTML email message from someone that includes a JPEG image. If you're using Outlook 2002 or earlier, it calls on IE to render that image. The same is true for Microsoft Word and other Office applications that offer a Web view. Outlook 2003 at least gives you the option of viewing an image or not, but should you choose to view it, Outlook 2003 will still call IE. You can remove Internet Explorer from Windows, but it would take a column twice as long as this to cover all the Registry settings and such you'd need to tweak to do so. Want to move over to Firefox? You can download it here.
Talkback
Thanks for the info folks.
I switched to Firefox after my WindowsXP Pro & Home systems crashed five times in three weeks. Each time it required a complete re-install of all Win programs and the resetting of all preferences, etc., to recover, only to have it crash again the next time I used Internet Explorer. Thankfully, I was able to get a download of Mozilla Firefox, which took only a short while. Firefox is to IE what the Wright Brothers are to a Boeing747! It cruises the net beautifully, has brilliant tab features, and seems impervious to whatever it is that plagues the WinXP/IE combination. I've had absolutely no trouble and even felt confident enough in Firefox to uninstall the 25mgs of front line defence it took to daily protect IE. My system runs much faster on the net and has been wonderfully stable ever since. Firefox Rules!
Thank you for the usual very informative newsletter. I abandoned the virtually useless IE long since and have been using Opera (now 7.50j) - you stop looking when you have found what you want, and Opera is the best I have tried!
I read your article on firefox and the problems with Internet Explorer, and the mist cleared aha I thought so I downloaded Firefox and I aint looking back thanks a lot guys you have fixed most of my problems . Alistair Cruickshank
But there is no sound in Firefox visiting web pages?!