Software bug raises spectre of 'JPEG of death'
16:14 15 September 04
NewScientist.com news service
Flawed software code used by numerous Microsoft applications to render images mean that a specially constructed image file could hijack a computer or spread a virus.
Ten years ago the idea of an image infecting a computer was the subject of a hoax email. But what was once a myth is now a genuine threat after Microsoft disclosed a flaw in the image processing code used in a range of its software programs on Tuesday.
Some experts blame the new threat on shoddy programming. "In a properly coded world, a graphic should not be able to infect your computer," says Graham Cluley, senior researcher with the UK-based anti-virus firm Sophos. "It should be impossible."
So far, no one is known to have exploited the flaw and Cluley says it is far from certain anyone will develop a computer virus based on it. But code designed to exploit the bug could appear on the internet soon, and this is often the first step towards the creation of a hacking tool or virus based on the flaw.
Crafty programmer
A number of Microsoft operating systems and applications contain the relevant bug, including Windows XP, Windows Server 2003 and Office XP, as well as many smaller applications. Microsoft has released downloadable fixes for affected software, available from the Microsoft TechNet site here.
The affected code has a so-called "buffer overrun" flaw. The buffer is a protected part of the computer memory, but flaws can mean that excessive input data can overrun into unprotected parts of a memory. A crafty programmer can use such a flaw to execute unauthorised code on a computer, potentially providing themselves with a point of entry in order to take complete control.
The hoax email message released in 1994 warned of a JPEG virus that could have severe consequences for the unlucky recipient.
"If you use a 386/486/Pentium machine to display your JPEG pictures, then you are at risk of catching the JPEG virus," the message read. "Although the JPEG virus is nominally benign, it can cause some multisync monitors to malfunction, effectively destroying the monitor."
A virus based on the new software flaw should not be able to damage a victim's monitor, but Rob Rosenberg, editor of the debunking site Vmyths.com, notes that the hoax could come back to haunt people.
"In '94 it was a myth, but in '04 it's the real thing," he told the computer security web site SecurityFocus. "We've got the JPEG of death now."
Will Knight
http://www.newscientist.com/news/news.jsp?id=ns99996408