Microsoft warned its customers yesterday that several of the company's products are vulnerable to a flaw in the way that they handle JPEG images. Microsoft has issued a patch for the flaw, which it describes as critical because attackers can potentially use JPEG images to run malicious code on users' machines.
"The GDI+ security update for September 2004 addresses newly discovered issues in JPEG processing technology," the Microsoft security bulletin says. "This issue affects software that supports this image format, including some versions of Microsoft Windows, Microsoft Office, and Microsoft developer tools. If you have any of the listed software installed on your computer, you should install the related update."
Affected software includes Windows Server 2003; Windows XP; XP Service Pack 1 (SP1); Microsoft Internet Explorer (IE) 6.0 SP1; Office 2003; Office XP SP3; Microsoft Digital Image Pro 9 and 7.0; Microsoft Digital Image Suite 9; Microsoft Greetings 2002; Microsoft Picture It 2002, 9, and 7.0; Microsoft Producer for Microsoft Office PowerPoint (all versions); Microsoft Office Project 2003; Project 2002 SP1; Microsoft Office Visio 2003; Visio 2002 SP2; Visual Studio .NET 2003; Visual Studio .NET 2002; Microsoft .NET Framework 1.1; .NET Framework 1.0 SP2 and software development kit (SDK); and Platform SDK Redistributable: GDI+.
Don't wait to install this one, folks. Although no known hacks take advantage of the flaw, security researchers say you can be compromised simply by visiting a Web site or opening an email message that contains a maliciously constructed image. Microsoft advises users of any of the above products to download the patch immediately; different versions of the patch are available for the various software types. You can find these patches on the Microsoft Web site.