[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Thursday, 16 September, 2004, 09:08 GMT 10:08 UK
Image flaw exposes Windows PCs
Pop singer Avril Lavigne, AP
Some viruses masquerade as images of pop singers
Computer users could be open to attack from malicious hackers because of the way that Windows displays some images.

Microsoft has issued a warning about a critical vulnerability in Windows that could let carefully crafted pictures act as bearers of malicious code.

The flaw was found in the code that the operating system and other Windows programs use to display images prepared in the popular Jpeg format.

The vulnerability has been found in more than a dozen Microsoft programs.

Millions affected

At risk programs include Windows XP, Office 2003, Windows Server 2003, Internet Explorer 6 plus some versions of Digital Image Pro and Picture It.

The software giant urged all users who are at risk to download and install a patch for the vulnerability.

VULNERABLE PROGRAMS
Windows XP
Windows XP Service Pack 1
Windows Server 2003
Internet Explorer 6 SP1
Office XP SP3
Office 2003
Digital Image Pro 7.0
Digital Image Pro 9
Digital Image Suite 9
Greetings 2002
Picture It! 2002
Picture It! 7.0
Picture It! 9
Producer for PowerPoint
Project 2002 SP1
Project 2003
Visio 2002 SP2
Visio 2003
Visual Studio .NET 2002
Visual Studio .NET 2003
Microsoft has also produced a tool that helps users find out if they are running software that contains the vulnerable computer code.

It said that the flaw could only be exploited if users are tricked into opening an image crafted to exploit the vulnerability.

Anyone falling victim to the loophole could have their computer taken over by an attacker.

Microsoft said that it had no evidence that the Jpeg loophole was being actively exploited.

However, because Internet Explorer is one of the programs vulnerable it is theoretically possible that someone could fall victim to a virus written to exploit the flaw just by visiting a website that used such carefully crafted images.

Any image written to exploit the flaw could prove successful because before now people have fallen victims to e-mail viruses when they clicked on attachments that claimed to be a picture.

The flaw in the way that Windows handles the popular Jpeg file format is called a buffer over-run.

Many old viruses have used buffer over-runs to get malicious code on to target machines.

The advisory about the Jpeg flaw is the 28th advisory that Microsoft has issued this year. Often these advisories detail several vulnerabilities. One advisory issued in April mentioned more than 20 separate loopholes in Windows XP.

Microsoft said that anyone who has downloaded and installed the SP2 update for Windows XP is not at risk from this vulnerability.

However, anti-virus firm Sophos said those that have installed SP2 should not be complacent.

"If you are running applications on XP SP 2 which do have the flaw you could be putting your computer at risk," said Graham Cluley from anti-virus firm Sophos.

Mr Cluley urged users in such a situation to download and apply the patch.


SEE ALSO:
Windows update prompts problems
01 Sep 04 |  Technology
Q&A on the Windows XP update
18 Aug 04 |  Technology
Teen charged over Sasser virus
09 Sep 04 |  Technology
Potter-mania fuels pesky virus
03 Jun 04 |  Technology
Home PCs hijacked to spread spam
03 Aug 04 |  Technology
First Pocket PC virus discovered
19 Jul 04 |  Technology


RELATED BBC LINKS:

RELATED INTERNET LINKS:
The BBC is not responsible for the content of external internet sites


PRODUCTS AND SERVICES

News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific