Original Issue Date: 15th September 2004

Microsoft had announced a critical vulnerability in its software's handling of the ubiquitous JPEG graphics format and had released today the Microsoft Security Bulletin MS04-028 on details.

The security hole is a buffer overflow that potentially allows an attacker to craft a special JPEG file that would take control of a victim's machine when the user views it through Internet Explorer, Outlook, Word, and other programs. The poisoned picture could be displayed on a website, sent in e-mail, or circulated on a P2P network.

Machines running on Windows XP, Windows Server 2003 and Office XP are vulnerable. The older versions of Windows are also at risk if the user has installed any of a other Microsoft applications that use the same flawed code.

Windows XP Service Pack 2 does not contain the hole, but vulnerable versions of Office running atop it can still be attacked if not patched.

Details on this vulnerability and patches are available at:

Microsoft Security Bulletin MS04-028
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx

MyCERT can be reached for assistance at:

Web: http://www.mycert.org.my
Email:
Tel: 03-89961901
Fax: 03-89960827
SMS: 019-2813801