As the so-called JpegOfDeath bug continues to worm its way around through a hole in Microsoft's .jpeg processing technology, there arrive some alarms that .jpeg image files may not be the only image files compromised by the bug.
"[F]or the people out there who think you can only be affected through viewing or downloading a .jpeg attachment, you're dead wrong," K-OTIC's John (HighT1mes) Bissell told TechNewsWorld.com September 29. "All the attacker has to do is simply change [the] image extension from .jpg to .bmp or .tif or whatever, and… Windows will still treat the file as a .jpeg."
Mikko Hypponen, antivirus research director for Finnish security firm F-Secure, told reporters JpegOfDeath may present another critical problem: beating normal antivirus software applications, which strain to find .jpeg problems because they search almost strictly for .exe files.
"Normal antivirus software, by default, will not detect JPEGs," he said. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things." And, Hypponen added that with about eleven file name extensions to which a .jpeg file can be changed – including .icon and .jpg2 – finding a malicious .jpeg could be even harder, especially with searching taking up a large amount of processor power.
An Adult webmaster who asked to remain anonymous told AVNOnline.com he knew of no complaints about compromised .jpg files through any of his company's sites. But he also said he planned to monitor the progress of the bug until its neutralization can be done.
JpegOfDeath has traveled an intriguing enough path thus far, according to several security experts. F-Secure said they had spotted a proof-of-concept exploit September 17, when it was posted to a public Web site. This exploit, F-Secure said, executed code on a victim's computer when opening a .jpg file, but a week later there came "a constructor that could produce .jpg files" with a Microsoft exploit executing a code to download and run a file from the Internet.
"However, the .jpg file with the exploit has to be previewed locally for the exploit to get activated," F-Secure said of that exploit. "Viewing a .jpg file from a remote host does not activate the exploit." The company also said the September 17 exploit only affected Microsoft Internet Explorer.
Microsoft revealed the security flaw that allows the bug to work two weeks ago. Internet Explorer is so far the only browser known to be affected by the bug. The browser processes a .jpeg file before caching it, meaning desktops might become infected before antivirus programs have the chance to work, Hypponen said.
"This means that it is not enough to scan at the desktop," he continued. "You have to scan at the gateway, but this will put a huge load on your bandwidth."
California-based Finjan Software called JpegOfDeath one of the greatest threats ever seen from the Internet. "[We believe] that the potential damage caused by this threat could be devastating in its global harm and outreach," said Finjan founder and chief executive Shlomo Touboul. "It would be equivalent to the most malicious Internet worm ever seen so far, comparable in magnitude and destructive potential to the Blaster and Sasser worms, which caused billions of dollars worth of damage to companies in recent years."
JpegOfDeath is now believed able to let an attacker take over a user's computer remotely by way of nothing more than the user browsing a Web page containing the malformed image file in Internet Explorer. Earlier on, the bug only activated when a user obtained the infected image by email or otherwise saved the image to their local disk. The code infects a machine when a user downloads what he thinks is the image and opens it in Windows Explorer.
"There has been so much interest in this vulnerability that someone is bound to do this," Hypponen said. "But saying that, there was a similar vulnerability found two months ago in bitmaps, and no one has exploited that yet." The operative word being yet.
Not that Microsoft has been quiet since JpegOfDeath graduated from possibility to presence September 28. On the same day, Microsoft lashed back at critics, saying they didn't consider JpegOfDeath was all that high a risk to consumers, "given the amount of user action required to execute the attack." A company statement said they were continuing to probe the situation and provide additional resources and guidance.
