The first known malware exploitation of a previously-reported, newly-found flaw in the code displaying .jpeg image files aboard Microsoft operating systems may have been spotted by at least three Internet security companies.
The hard threat assessment has been recorded as low for now.
“According to a post on the Bugtraq mailing list, somebody has been trying to post JPG images with the exploit code in them to adult usenet newsgroups,” Mikko Hypponen, the director of antivirus research for Finnish security firm F-Secure, said in a post on a company Weblog. Though he cautioned that the post in question was “misleadingly” titled “GDI virus,” it didn’t necessarily mean there was no threat at all.
Internet Security Systems, however, said their research and development team spotted the Trojan horse program without issuing details of the program’s makeup. “This critical… vulnerability in GDI dll .jpeg images processing,” the company said in a formal release, “was detailed in the Microsoft-issued Security Bulletin MS04-028.”
Norton AntiVirus makers Symantec, however, have put an apparent name on the bug, saying it may have two versions: Hacktool.JPEGShell and Hacktool.JPEGDownload, the former also nicknamed JpegOfDeath.
“Hacktool.JPEGShell is a Trojan horse program that can be used to generate .jpg files that exploit the Microsoft GDI Library JPEG Segment Length Integer Underflow vulnerability [described in the Microsoft Security Bulletin MS04-028],” Symantec said. “The generated .jpg files are detected by Symantec Antivirus products as Bloodhound.Exploit.13.”
About Hacktool.JPEGDownload, which Symantec tools detect as a program named Download.Trojan, the company said it can download a URL hard-coded in the .jpeg file.
ISS said this new bug could leave numerous computers prone to attack, and not necessarily by way of the flaw in Windows XP and Server 2000 alone. “This critical Internet threat spans home users to enterprise critical infrastructure,” the company release continued. “Anyone using a program that processes JPEG images could be vulnerable to attack. This includes seemingly innocent images embedded in Web pages, e-mail, office documents and shared network materials. There is the potential for a network worm to gain access to an organization through exploitation of vulnerable Microsoft Outlook and Outlook Express clients.”
ISS said the prospective business impact could include an attacker exploiting the .jpeg coding vulnerability to take “complete control of an affected system, including installing programs; viewing, changing, or deleting data; or, creating new accounts with full privileges.”
Hypponen is cautioning people to, ahem, hold their horses – but be prepared to go to the whip, anyway. “Do note that these JPGs did not replicate, so this is not a virus – although the post in Bugtraq is misleadingly titled ‘GDI virus,’” he continued on the Weblog posting. “Apparently they tried to use these JPGs to download Trojans to vulnerable computers... but the download sites should be down by now. Things are heating up. Unfortunately I have a nasty feeling we might sooner or later see a mass-mailer worm using a JPG image as the attachment.”
