Virus writers never take a day off, and neither can you.
Go to the Virus Threat Center now to get daily security alerts
and updates that will help you keep your systems safe.

Microsoft has released a critical update for a buffer
overrun vulnerability related to image files displayed in Windows XP, Internet Explorer
6, .NET Framework, Microsoft Outlook, and Windows Server 2003. Microsoft warns
that, since the component is sometimes installed by third-party software, you
can still be vulnerable even after installing all updates, including the
security updates provided with Microsoft Security Bulletin MS04-028.

In addition, there is an important Security Bulletin for
WordPerfect Converter that can allow remote code execution.


The threat lies in the way JPEG image files are processed
and, as mentioned above, can exist even in fully patched systems because there
are third-party applications that will remain vulnerable.

The problem lies in the GDI (Graphics Device Interface)
driver that processes the way JPEG image files are displayed. The threat can be
exploited in any Microsoft or third-party application using GDI. GDI is the
Win32 API that gives Windows applications access to the tools necessary to
display both 2D graphics and specially-formatted text, both for video displays
and printouts.

Because this threat is so widespread in Microsoft
applications, the vendor has provided a GDI
detection tool
as described in the Microsoft
Knowledge Base Article 873374
. It is important to read the knowledge base article
before downloading the GDI tool because obtaining it one way will only allow
you to run it one time, and there has already been a major update to this knowledge
base article (version 2.0).

Microsoft reports that the company is not aware of any
reports that this threat has been exploited and hasn’t seen any proof of
concept code as of September 14, 2004.

Another Microsoft Security Bulletin, MS04-027,
addresses a remote code execution threat posed by a vulnerability found only in
the WordPerfect document converter used by some versions of Microsoft Word and
Microsoft Office. You should be suspicious of any Microsoft installation that has
the ability to convert Corel WordPerfect 5-formatted documents. Also, note that
the problem lies in the Microsoft decoder code, not in the Corel product.


For MS04-028 (JPEG GDI), the following operating systems are

  • Windows
    Server 2003 and Windows Server 2003 64-Bit Edition
  • Windows
    XP and Windows XP 64-bit Edition.
  • Windows
    XP SP1 and Windows XP 64-bit Edition SP1
  • Windows
    XP 64-Bit Edition Version 2003

The default installation of the above operating systems
contains the vulnerable component; however, the component may have also been
installed on other operating systems after the default installation, so other
versions of Windows are not immune from this threat.

For MS04-028, the following Microsoft applications are also

  • .NET
    Framework, Version 1.0 SDK
  • Microsoft
    Office System 2003 and Office XP SP3
  • Picture
    It! 2002, Picture It! version 7.0 and 9
  • Picture
    It! Library
  • Producer
    for Microsoft PowerPoint (all versions)
  • Microsoft
    Project 2002 and 2003
  • Microsoft
    Visio 2002 and 2003
  • Platform
    SDK Redistributable: GDI+
  • Visual
    Basic .NET Standard 2002 and VB .NET Standard 2003
  • Visual
    C# and Visual C++ .NET Standard 2002 and Visual C# and Visual C++ .NET
    Standard 2003
  • Visual
    J# .NET Standard 2003
  • Visual
    Studio .NET 2002 and 2003
  • Digital
    Image Pro and DI Suite version 9
  • Digital
    Image Pro version 7.0
  • Greetings

In addition, third-party applications developed with the
above-listed Microsoft tools or which distribute their own copy of the component
containing the buffer overrun will also be affected.

For Microsoft Security Bulletin MS04-027 (WordPerfect 5
Converter threat), the following Microsoft applications are vulnerable:

  • Microsoft
    Works Suite 2001, 2002, 2003, and 2004
  • Office
    2003, Word 2003, FrontPage 2003, and Publisher 2003
  • Office
    2000 with SP3, Word 2000, FrontPage 2000, and Publisher 2000
  • Office
    XP SP 3, Word 2002, FrontPage 2002, and Publisher 2002

Office 2003 with Service Pack 1 installed is not vulnerable.

Risk level – Critical

For the JPEG GDI vulnerability, the risk is critical. Microsoft
rates the WordPerfect 5.x Converter vulnerability as important, because many
users don’t utilize the converter. For those who open Corel WordPerfect 5.x
documents, it may be a critical vulnerability because, based on the user’s
access permissions, an attacker can gain the ability to run arbitrary code on
vulnerable systems.

Mitigating factors

Windows XP SP2 is not vulnerable to the JPEG display threat.

The WordPerfect Converter threat applies only to WordPerfect
5 documents. WordPerfect 6 documents are in a different format and are
converted by wpft632.cnv, which is not affected. If you never open a
WordPerfect 5 document, then the vulnerable component will never be accessed
and you are not vulnerable; however, such documents may be included in e-mail
attachments and opening such an attachment will trigger the attack if the
document is from a malicious individual. As mentioned above, Office 2003 with
SP1 installed is not vulnerable to the WordPerfect converter threat.

Fix – Apply patches

A simple workaround for the JPEG threat in Outlook is to
view e-mails in text-only mode. In general, this is always a good idea because
it avoids various malware threats that can be hidden in images. See Microsoft
Knowledge Base Article 307594
for instructions on configuring Outlook 2002
(XP starting with SP1) to open untrusted and unencrypted e-mails in plain text
format (Please note that this involves modifying the Windows Registry and
should only be attempted by those with extensive knowledge of the dangers
involved in registry edits). Microsoft
Knowledge Base Article 291387
covers plain-text display in Outlook Express

Besides refusing any WordPerfect 5 format documents, a
workaround for the WordPerfect 5 Converter threat is to uninstall the Converter,
which is an Office Shared Feature. Note that the problem only lies in the
default WordPerfect 5 document format. WordPerfect 5 users can simply save
documents in other formats that are not affected.

Final word

Because we are now publishing this column on an expedited
schedule, look for any updates to these bulletins in the discussion of this
article. The information on these threats was based on the original (version
1.0) bulletin releases.