Virus writers never take a day off, and neither can you.
Go to the Virus Threat Center now to get daily security alerts
and updates that will help you keep your systems safe.
Microsoft has released a critical update for a buffer
overrun vulnerability related to image files displayed in Windows XP, Internet Explorer
6, .NET Framework, Microsoft Outlook, and Windows Server 2003. Microsoft warns
that, since the component is sometimes installed by third-party software, you
can still be vulnerable even after installing all updates, including the
security updates provided with Microsoft Security Bulletin MS04-028.
In addition, there is an important Security Bulletin for
WordPerfect Converter that can allow remote code execution.
The threat lies in the way JPEG image files are processed
and, as mentioned above, can exist even in fully patched systems because there
are third-party applications that will remain vulnerable.
The problem lies in the GDI (Graphics Device Interface)
driver that processes the way JPEG image files are displayed. The threat can be
exploited in any Microsoft or third-party application using GDI. GDI is the
Win32 API that gives Windows applications access to the tools necessary to
display both 2D graphics and specially-formatted text, both for video displays
Because this threat is so widespread in Microsoft
applications, the vendor has provided a GDI
detection tool as described in the Microsoft
Knowledge Base Article 873374. It is important to read the knowledge base article
before downloading the GDI tool because obtaining it one way will only allow
you to run it one time, and there has already been a major update to this knowledge
base article (version 2.0).
Microsoft reports that the company is not aware of any
reports that this threat has been exploited and hasn’t seen any proof of
concept code as of September 14, 2004.
Another Microsoft Security Bulletin, MS04-027,
addresses a remote code execution threat posed by a vulnerability found only in
the WordPerfect document converter used by some versions of Microsoft Word and
Microsoft Office. You should be suspicious of any Microsoft installation that has
the ability to convert Corel WordPerfect 5-formatted documents. Also, note that
the problem lies in the Microsoft decoder code, not in the Corel product.
For MS04-028 (JPEG GDI), the following operating systems are
Server 2003 and Windows Server 2003 64-Bit Edition
XP and Windows XP 64-bit Edition.
XP SP1 and Windows XP 64-bit Edition SP1
XP 64-Bit Edition Version 2003
The default installation of the above operating systems
contains the vulnerable component; however, the component may have also been
installed on other operating systems after the default installation, so other
versions of Windows are not immune from this threat.
For MS04-028, the following Microsoft applications are also
Framework, Version 1.0 SDK
Office System 2003 and Office XP SP3
It! 2002, Picture It! version 7.0 and 9
for Microsoft PowerPoint (all versions)
Project 2002 and 2003
Visio 2002 and 2003
SDK Redistributable: GDI+
Basic .NET Standard 2002 and VB .NET Standard 2003
C# and Visual C++ .NET Standard 2002 and Visual C# and Visual C++ .NET
J# .NET Standard 2003
Studio .NET 2002 and 2003
Image Pro and DI Suite version 9
Image Pro version 7.0
In addition, third-party applications developed with the
above-listed Microsoft tools or which distribute their own copy of the component
containing the buffer overrun will also be affected.
For Microsoft Security Bulletin MS04-027 (WordPerfect 5
Converter threat), the following Microsoft applications are vulnerable:
Works Suite 2001, 2002, 2003, and 2004
2003, Word 2003, FrontPage 2003, and Publisher 2003
2000 with SP3, Word 2000, FrontPage 2000, and Publisher 2000
XP SP 3, Word 2002, FrontPage 2002, and Publisher 2002
Office 2003 with Service Pack 1 installed is not vulnerable.
Risk level – Critical
For the JPEG GDI vulnerability, the risk is critical. Microsoft
rates the WordPerfect 5.x Converter vulnerability as important, because many
users don’t utilize the converter. For those who open Corel WordPerfect 5.x
documents, it may be a critical vulnerability because, based on the user’s
access permissions, an attacker can gain the ability to run arbitrary code on
Windows XP SP2 is not vulnerable to the JPEG display threat.
The WordPerfect Converter threat applies only to WordPerfect
5 documents. WordPerfect 6 documents are in a different format and are
converted by wpft632.cnv, which is not affected. If you never open a
WordPerfect 5 document, then the vulnerable component will never be accessed
and you are not vulnerable; however, such documents may be included in e-mail
attachments and opening such an attachment will trigger the attack if the
document is from a malicious individual. As mentioned above, Office 2003 with
SP1 installed is not vulnerable to the WordPerfect converter threat.
Fix – Apply patches
A simple workaround for the JPEG threat in Outlook is to
view e-mails in text-only mode. In general, this is always a good idea because
it avoids various malware threats that can be hidden in images. See Microsoft
Knowledge Base Article 307594 for instructions on configuring Outlook 2002
(XP starting with SP1) to open untrusted and unencrypted e-mails in plain text
format (Please note that this involves modifying the Windows Registry and
should only be attempted by those with extensive knowledge of the dangers
involved in registry edits). Microsoft
Knowledge Base Article 291387 covers plain-text display in Outlook Express
Besides refusing any WordPerfect 5 format documents, a
workaround for the WordPerfect 5 Converter threat is to uninstall the Converter,
which is an Office Shared Feature. Note that the problem only lies in the
default WordPerfect 5 document format. WordPerfect 5 users can simply save
documents in other formats that are not affected.
Because we are now publishing this column on an expedited
schedule, look for any updates to these bulletins in the discussion of this
article. The information on these threats was based on the original (version
1.0) bulletin releases.