Computer code that takes advantage of a flaw in the way many Microsoft applications process JPeg images has been published on the internet and could be a precursor to actual attacks on vulnerable PCs, experts said.
The code was published late last week, only days after Microsoft revealed the "critical" vulnerability and made available patches to fix the problem. Any application that processes JPeg images could be vulnerable. A wide range of Microsoft software, including versions of its Windows and Office products, are also vulnerable.
So far only "proof-of-concept" code has been published, which can cause a vulnerable web browser to crash or a PC to freeze. A fully developed exploit would allow an attacker to take control of a victim's computer by remotely opening a command prompt or downloading and running malicious software, one expert said.
"Typically a proof of concept is a first step towards a full blown exploit," said Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center. "It is an indication that people are playing with it and experimenting to try and get it to work for other purposes, typically to open a remote shell or download and execute code."
Microsoft is aware of the exploit code and is investigating the matter, a company spokeswoman said.
"Microsoft’s early investigation of this code indicates that it can cause a computer that does not have [the patches] installed to stop responding, but it does not execute code remotely," she said.
Microsoft urges all customers to immediately install the software updates it made available with Security Bulletin MS04-028. Customers who are still testing the patches should implement the workaround steps outlined in the bulletin, the software maker said.
The pattern to exploitation of the JPeg vulnerability is not much different than with other vulnerabilities, according to the SANS Institute's Internet Storm Center. Typically proof-of-concept code is published a few days after details of the flaw are released followed by a hunt to fully exploit the flaw. A worm or mass mailer is likely to surface by the end of the month.
While the race is on to create malicious code, the possibility for large scale exploitation of the JPeg processing appears to be weakening.
To take advantage of the flaw, an attacker would have to persuade a user to open a specially crafted image file. The image could be hosted on a website, included in an e-mail or Office document or hosted on a local network, Microsoft said last week.
The supplier rates the flaw "important' for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .net Framework 1.0 with Service Pack 2 and .net Framework 1.1.
Joris Evers writes for IDG News Service