Security specialists picture bad things from .jpg flaw

At times, the information security industry can sound downright alarmist. In the case of the .jpg vulnerability, that tone may be justified.

Administrators have been feverishly working on an extremely complex patch deployment, while virus writers are steadily marching closer to a widespread exploit -- first with a proof-of-concept, then a how-to kit, and most recently with a tryout in porn newsgroups and popular instant messaging applications.

Microsoft issued a patch for the flaw on Sept. 14, but because it affects so many Microsoft products -- everything from Windows to Office to FrontPage -- it is giving administrators fits.

Admins swapping war stories and advice about the .jpg vulnerability on mailing lists like PatchManagement.org have reported that Microsoft's Software Update Services hasn't been much help in deploying the patch across such a wide swath of software. However, many praised third-party tools from Configuresoft, Ecora and Shavlik for their effectiveness.

Still, the frustration level is high. As one infrastructure analyst wrote to her peers, "I think we're all in agreement that MS04-028 is pretty ugly and time consuming."

Only time will tell whether this is the next Blaster, but the stakes are high for admins, since one gullible user opening an infected image could expose an enterprise to a devastating remote attack.

Elsewhere in the news

Gartner has released a new research report that offers a startling conclusion about desktop Linux: 40% of all Linux-based PCs sold in North America and Europe will later have that operating system replaced with an illegal copy of Windows. In other parts of the world, the Linux-to-pirated-Windows rate is 80%, according to the report, authored by Gartner principal analyst Annette Jump. … Another piece of research, albeit an old one, is also raising some eyebrows. This week, Meta Group defended a July research report that concluded that the total cost of ownership of Exchange Server is 52% cheaper for small businesses than IBM/Lotus' Domino platform. Microsoft paid for the research, but Meta said that doesn't mean the results are invalid. … The Internet Engineering Task Force has pulled the plug on its Sender ID working group. The death of MARID came shortly after two high-profile open source organizations balked at signing free licenses for Microsoft-patented technology in the proposed e-mail authentication protocol. Soon after, AOL bailed on Sender ID and the standards effort came to a screeching halt. Some think Sender ID will end up as a de facto standard. Others say it's only a small piece of the antispam puzzle anyway. … Redmond has added a new component to its software licensing program. With a so-called step-up license, Software Assurance customers will be able to make a free switch from the standard edition of many Microsoft products to an enterprise edition. Among the products included in the program are Windows Server 2003, Exchange Server and SQL Server. … Are you a fan of Wikis? If so, you'll now have more opportunities to build them. Wiki Web pages are those that allow anyone to create and edit content. This week, Microsoft donated its Wiki code -- FlexWiki -- to the open source community. It's the third piece of code the software maker has posted this year to SourceForge.net, which appears to be Microsoft's favored link to the open source world. … Microsoft's appeal of the landmark European Union antitrust ruling got under way this week in Luxembourg. The Court of First Instance heard Redmond's argument that the company would be irreparably harmed if it were forced to reveal its proprietary product information.

Note: This column originally appeared on SearchWin2000.com.

Dig deeper on Security patch management and Windows Patch Tuesday news

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close