JpegOfDeath Patch Feared Too Complex

The good news is there’s already a patch available to fix the Microsoft security flaw that lets attackers control Windows computers through the Microsoft digital image processing code. The bad news is the patch may be so complex that a lot of people won’t even bother downloading it.

That’s the apparent word from a number of security experts. "We talked to [computer network] administrators who thought their systems were patched when all they really did was install these scanning tools," TruSecure chief scientist Russ Cooper told a reporter. "I can see this creating confusion and a false sense of security for a lot of average computer users out there."

The so-called JpegOfDeath bug exploits the flaw in Windows XP, Server 2003, and Microsoft Office merely by getting users to open an e-mail or visit a Website containing an image they won’t know is infected with malicious code until they try to save or open it.

Patching Microsoft Office is believed especially difficult, involving several steps such as those who’ve never installed previous Office patches having to download and install the fixes before their machines will take the JpegOfDeath patch, according to the Washington Post. And you may need to have your original Office CD-ROM at hand to do it, the paper added.

At least one major Office user has even taken it to one extreme; the University of Richmond ripped Office out of faculty and staff computers and then reinstalled it on every last one of them. But that, according to security administrator Chris Faigle, was the easy part. The hard part was getting the students to take the manual steps needed to protect against JpegOfDeath.

"When we turned on automatic updates at registration time our intention was that students would get the updates and wouldn't have to mess with any of it," Faigle told the Post. "All we can do for now is get the word out there about the steps people need to take [to deal with] this and hope that our anti-virus tools save us if a worm or virus emerges in the meantime."