Most security experts agree Microsoft's .jpg vulnerability is a serious hole users should patch immediately. But while some call it a recipe for disaster attackers are ready to pounce on, others say the threat has been hyped beyond reason.
The information security community was abuzz Wednesday over MS04-028. Microsoft issued the patch advisory Tuesday to fix a "critical" buffer overrun vulnerability in the processing of .jpg image formats that could let an attacker take complete control of affected machines to launch malicious code, change or delete data or create new accounts with full privileges. Affected products include Microsoft Windows, Office, Graphics Application and Developer Application.
Several security vendors e-mailed press statements or posted messages on their Web sites warning that attackers could easily exploit the flaw at any time.
Ken Dunham, director of malicious code for Reston, Va.-based iDefense Inc., said in an e-mailed statement Wednesday: "Hackers are already actively discussing the new .jpg vulnerability and how to exploit it. Within the first 24 hours following the announcement by Microsoft hackers have shared multiple details about the vulnerability and have voiced an interest in obtaining exploit code as soon as possible."
Graham Cluley, senior technology consultant for Lynnfield, Mass.-based Sophos, warned on the company's Web site: ".Jpg images are commonly used for graphics on Web sites and digital photographs so this vulnerability is extremely serious." He also warned Windows XP Service Pack 2 may be at risk from the flaw, even though Microsoft said it isn't vulnerable.
"Although the Windows XP SP2 operating system is not reported as having the vulnerability, if you are running programs on XP SP2 which contain the flaw, such as Microsoft Office, you could be putting your computer at risk," Cluley said.
Those who believe the attack potential is overstated dashed off their own Web messages.
"As the panic over [Tuesday's] MS04-028 patch … begins spiraling wildly out of control, I'd like to offer myself up as a calm, reasonable head in this tumult of madness," Cory Altheide, a handler for the Bethesda, Md.-based SANS Internet Storm Center, half-joked in Wednesday's Handler's Diary. "Some may suggest disabling or stripping .jpg images to prevent slow patchers from being annihilated by a .jpg of doom. I, for one, say this is folly, as it leaves end users open to attack from .tiffs & .gifs, .pngs & .mngs, not to mention the near DoS-level bandwidth consumption of .bmps!!!"
Rob Rosenberger, editor of Vmyths.com, an online publication dedicated to "the eradication of computer virus hysteria," believes warnings over this flaw are yet another example of needless panic.
"Vmyths believes media outlets will pounce on this story, because … Microsoft announced a 'critical' vulnerability in the way its software reads a ubiquitous file type, and … computer emergency response teams have issued their own alerts," Rosenberger said on Vmyths.com.
"Microsoft's '.jpg Processor' vulnerability manifests itself as a buffer overrun in a piece of software," Rosenberger said. "It is not caused by the .jpg file format itself. Buffer overruns are extremely common: You'll find them in almost every large software application (even antivirus software). They can create situations where even a filename itself can wreak havoc. By definition, every buffer overrun will eventually join its brothers in the land of obscurity."
He added, "Vmyths urges you to download the patch, install it and get on with your life."
Though some see this vulnerability as more of a threat than others, there appeared to be general agreement that users shouldn't be crawling under their desks.
"The message … is not to panic but to calmly patch your computers now before a virus writer or hacker tries to exploit the loophole and attack innocent users' computers," Cluley said.