Microsoft has managed to create a security flaw that means Windows users can be attacked through image files.
Traditionally, image files have been considered a safe harbour, with the exception of virus infections. Now, Microsoft is warning that the way its applications process JPEGs could allow attackers to gain control over a Windows computer.
Any application that processes JPEGs could be vulnerable, Microsoft said in Security Bulletin MS04-028.
To take advantage of the flaw, an attacker would have to persuade a user to open a specially crafted image file. The image could be hosted on a Web site, included in an email, Office document or hosted on a local network, Microsoft said.
A wide range of Microsoft software, including various versions of its Windows and Office products, is vulnerable. Additionally, applications created with Microsoft's Visual Studio developer tool or the.Net Framework and third-party applications that distribute their own copy of the vulnerable JPEG parsing engine may also be vulnerable, Microsoft said.
Along with the Security Bulletin, Microsoft made available software updates to correct the flaw in its products. The software maker also offers a tool to scan a PC for certain installed products that are known to contain the vulnerable JPEG image processing engine.
Microsoft rates the flaw "important' for many of its products, but "critical" for Outlook versions 2002 and 2003, Internet Explorer 6 with Service Pack 1, Windows XP and Windows XP with Service Pack 1, Windows Server 2003, and the .Net Framework 1.0 with Service Pack 2 and .Net Framework 1.1, according to the Security Bulletin.
The JPEG flaw was reported privately to Microsoft and it was not disclosed prior to the Tuesday release of the warning and patches, the software maker said. There have been no reports of the issue being exploited, Microsoft said.