Microsoft has warned users of a critical flaw that could
enable a hacker to gain control of their computers by using
corrupted JPeg images held on a website.
In security bulletin MS04-028, Microsoft urged users to update
their systems.
Most older Microsoft products, including Windows NT 4.0, Internet
Explorer 5.5, Windows Me and Windows 98 are unaffected. However,
Windows XP, Windows 2003 and Office 2003 are among 24 products and
service packs that contain the flaw.
By default, Windows 98, 98 SE, Me, NT 4.0, 2000, and XP Service
Pack 2 are not vulnerable to this exploit. However, the vulnerable
component could be installed on these operating systems. Microsoft
advised users to install the appropriate security update for those
applications.
Richard Brain, technical director at security consultancy
Procheckup, said, "For such a widely used format, Microsoft should
have done something far sooner." He said JPeg exploits have existed
since 1994.
Microsoft said a hacker could not force users to visit a malicious
website, but would attempt to persuade them to visit the site,
typically by getting them to click a link.