Recent flaws in the way Microsoft processes common Internet image files and a decision to offer IE updates only to Windows XP users lead to just one logical conclusion: bail on Microsoft Internet Explorer.
Can you imagine the Internet without pictures? A new flaw in the way Windows, and therefore Internet Explorer, renders JPEG images–one of the most common image formats on the Web–should make you think twice about whether you should display them. At the very least, it should nudge you into considering an alternative Internet browser, such as Firefox.
The code to exploit this flaw is now public. Usually, exploit code release is the first step toward a new virus or worm, and as we have seen before, the time from exploit to virus is generally about two to three weeks. In other words, the clock is ticking.
The GDIplus vulnerability, in a nutshell
If you use a Windows operating system older than Windows 2000 or have already updated to Windows XP SP2, you’re immune to the flaw. There are many ways to render JPEGs, but the Graphic Device Interface plus DLL, or gdiplus.dll, is enabled only in Windows 2000 and Windows XP. Because gdiplus.dll is vulnerable to a buffer overflow attack, malicious code lurking inside an infected JPEG file could allow new, potentially malicious code to take over the use of your computer (or, at the very least, crash it). Unfortunately, the apps that run in Windows 2000 and XP are also vulnerable.
Microsoft Office is vulnerable
The list of these vulnerable apps is not short and includes:
- Microsoft .Net Framework 1.x
- Picture It Digital Image Pro 7.x and 9.x
- Digital Image Suite 9.x
- FrontPage 2002
- Greetings 2002
- Internet Explorer 6.0
- Office 2003 Professional Edition
- Office 2003 Small Business Edition
- Office 2003 Standard Edition
- Office 2003 Student and Teacher Edition
- Office XP
- Outlook 2003 and 2002
- Picture It 2002, 7.x, and 9.x
- PowerPoint 2002 and PowerPoint 2003
- Project 2002 and Project 2003
- Publisher 2002
- Visio 2002, Visio 2003
- Visual Studio .Net 2002 and 2003
- Word 2002
Now, what happens if you patch your system with Windows XP SP2, then load one of the above apps? Believe it or not, the potential exists for that app to overwrite the patched gdiplus.dll with an older, more vulnerable version. You can see what a nightmare this has become already. Thus, Microsoft has posted a free online tool to assess the current vulnerability of your computer.
What if you don’t use Microsoft apps on your Windows computer? Surprisingly, your solution might be even more complicated.
Macromedia products not vulnerable
Some non-Microsoft apps, such as those from Macromedia, also regularly use JPEG files. Turns out, some Macromedia apps do install the vulnerable gdiplus.dll, but they actually use the Microsoft graphics library instead to process JPEGs. That means products such as Macromedia Contribute, Dreamweaver, Fireworks, Flash, Flashpaper, FreeHand, RoboSource Control, and Studio MX are not affected by the GDI flaw. Nonetheless, if you do load any of these apps after you’ve patched your system, make sure they don’t overwrite the patched version of gdiplus.dll. To find out more about software vulnerability to this flaw, see this US-CERT document for more details.
Microsoft: Upgrade to Windows XP or else In a separate but related development, Microsoft announced that future security enhancements for its Internet Explorer will be available through its Windows XP update service only. By refusing to offer separate security enhancements for Internet Explorer, which is the main vector for any JPEG-related worm or virus, Microsoft is essentially saying that anyone who hasn’t yet upgraded to Windows XP won’t be protected from future exploits. The average cost to upgrade to Windows XP is about AU$150; you do the math.
Firefox is a start but not the whole solution If you’ve taken my past advice, you’ve already bailed on Internet Explorer and installed Mozilla Firefox as your default Internet browser. For the most part, you can avoid the JPEG flaw, right? Wrong. Because Microsoft bundles IE deep within Windows, you can’t avoid IE by not using it. For example, say you get an HTML e-mail message from someone that includes a JPEG image. If you’re using Outlook 2002 or earlier, it calls on IE to render that image. The same is true for Microsoft Word and other Office apps that offer a Web view. Outlook 2003 at least gives you the option of viewing an image or not, but should you choose to view it, Outlook 2003 will still call IE. You can remove Internet Explorer from Windows, but it would take a column twice as long as this to cover all the Registry settings and such you’d need to tweak to do so.
Source: Zdnet
I am the one of those who rally against the status quo: The Capitalist Hegemony. I take side with those who are oppressed world-wide. The Capitalists should end intervention in the Muslim World. If not, resistance is inevitable by any means possible. As promised through revelation, they will rise Caliphate which is feared and prevented by the Capitalist power. Capitalist agents/ puppet rulers will be removed throughout the Muslim World.
