Last week, Microsoft posted a notice about a new kind of vulnerability in Windows machines. The MS04-028 announcement states that merely opening a JPEG image (one that had been tinkered with by a hacker, of course) could permit your computer to be taken over. We’ve seen this before (well, not exactly this)–a patch comes out, and then it takes an enterprising, fairly skilled malicious programmer a few days or weeks to figure out a way to take advantage of the millions of machines that won’t yet have patched. In this case, our friends over at the Internet Storm Center say that, three days after the patch came out, they’ve already seen two examples of proof-of-concept programs that could actually take advantage of this hole. In the words of Marcus H. Sachs, one of the volunteers at the ISC, “Working exploit code is probably going to find its way into the public domain within a few days or a week. Then it’s up to the whims of somebody or some group to build and launch a malware attack using the newly developed exploits. Crystal ball says to look for a worm or mass-mailer by the end of September.” The bug requires you to patch not only Windows (apparently Windows XP SP2 is unaffected), but any applications that can display JPEG images. That includes:
* Your office applications suite (including all versions of Microsoft Office).
* Your browser (Mozilla has some problems of its own).
* Any image-editing program you might use, including Photoshop, or PaintShop Pro.
* Image management software (such as ACDSee).
* RSS reader software.
It will be time-consuming to patch all those applications, and it’s possible you’ll miss a few along the way, so it’s probably best to get started patching now, before there’s a worm or virus that takes advantage of this bug.
