Microsoft discloses critical flaw in the way Windows handles JPEG files

Here are the details of Microsoft Security Bulletin MS04-028, which reveals that a variety of popular Microsoft software is vulnerable to a flaw in the GDI driver that processes the display of JPEGs.

Virus writers never take a day off, and neither can you. Go to the Virus Threat Center now to get daily security alerts and updates that will help you keep your systems safe.

Microsoft has released a critical update for a buffer overrun vulnerability related to image files displayed in Windows XP, Internet Explorer 6, .NET Framework, Microsoft Outlook, and Windows Server 2003. Microsoft warns that, since the component is sometimes installed by third-party software, you can still be vulnerable even after installing all updates, including the security updates provided with Microsoft Security Bulletin MS04-028.

In addition, there is an important Security Bulletin for WordPerfect Converter that can allow remote code execution.


The threat lies in the way JPEG image files are processed and, as mentioned above, can exist even in fully patched systems because there are third-party applications that will remain vulnerable.

The problem lies in the GDI (Graphics Device Interface) driver that processes the way JPEG image files are displayed. The threat can be exploited in any Microsoft or third-party application using GDI. GDI is the Win32 API that gives Windows applications access to the tools necessary to display both 2D graphics and specially-formatted text, both for video displays and printouts.

Because this threat is so widespread in Microsoft applications, the vendor has provided a GDI detection tool as described in the Microsoft Knowledge Base Article 873374. It is important to read the knowledge base article before downloading the GDI tool because obtaining it one way will only allow you to run it one time, and there has already been a major update to this knowledge base article (version 2.0).

Microsoft reports that the company is not aware of any reports that this threat has been exploited and hasn't seen any proof of concept code as of September 14, 2004.

Another Microsoft Security Bulletin, MS04-027, addresses a remote code execution threat posed by a vulnerability found only in the WordPerfect document converter used by some versions of Microsoft Word and Microsoft Office. You should be suspicious of any Microsoft installation that has the ability to convert Corel WordPerfect 5-formatted documents. Also, note that the problem lies in the Microsoft decoder code, not in the Corel product.


For MS04-028 (JPEG GDI), the following operating systems are affected:

  • Windows Server 2003 and Windows Server 2003 64-Bit Edition
  • Windows XP and Windows XP 64-bit Edition.
  • Windows XP SP1 and Windows XP 64-bit Edition SP1
  • Windows XP 64-Bit Edition Version 2003

The default installation of the above operating systems contains the vulnerable component; however, the component may have also been installed on other operating systems after the default installation, so other versions of Windows are not immune from this threat.

For MS04-028, the following Microsoft applications are also affected:

  • .NET Framework, Version 1.0 SDK
  • Microsoft Office System 2003 and Office XP SP3
  • Picture It! 2002, Picture It! version 7.0 and 9
  • Picture It! Library
  • Producer for Microsoft PowerPoint (all versions)
  • Microsoft Project 2002 and 2003
  • Microsoft Visio 2002 and 2003
  • Platform SDK Redistributable: GDI+
  • Visual Basic .NET Standard 2002 and VB .NET Standard 2003
  • Visual C# and Visual C++ .NET Standard 2002 and Visual C# and Visual C++ .NET Standard 2003
  • Visual J# .NET Standard 2003
  • Visual Studio .NET 2002 and 2003
  • Digital Image Pro and DI Suite version 9
  • Digital Image Pro version 7.0
  • Greetings 2002

In addition, third-party applications developed with the above-listed Microsoft tools or which distribute their own copy of the component containing the buffer overrun will also be affected.

For Microsoft Security Bulletin MS04-027 (WordPerfect 5 Converter threat), the following Microsoft applications are vulnerable:

  • Microsoft Works Suite 2001, 2002, 2003, and 2004
  • Office 2003, Word 2003, FrontPage 2003, and Publisher 2003
  • Office 2000 with SP3, Word 2000, FrontPage 2000, and Publisher 2000
  • Office XP SP 3, Word 2002, FrontPage 2002, and Publisher 2002

Office 2003 with Service Pack 1 installed is not vulnerable.

Risk level – Critical

For the JPEG GDI vulnerability, the risk is critical. Microsoft rates the WordPerfect 5.x Converter vulnerability as important, because many users don't utilize the converter. For those who open Corel WordPerfect 5.x documents, it may be a critical vulnerability because, based on the user's access permissions, an attacker can gain the ability to run arbitrary code on vulnerable systems.

Mitigating factors

Windows XP SP2 is not vulnerable to the JPEG display threat.

The WordPerfect Converter threat applies only to WordPerfect 5 documents. WordPerfect 6 documents are in a different format and are converted by wpft632.cnv, which is not affected. If you never open a WordPerfect 5 document, then the vulnerable component will never be accessed and you are not vulnerable; however, such documents may be included in e-mail attachments and opening such an attachment will trigger the attack if the document is from a malicious individual. As mentioned above, Office 2003 with SP1 installed is not vulnerable to the WordPerfect converter threat.

Fix - Apply patches

A simple workaround for the JPEG threat in Outlook is to view e-mails in text-only mode. In general, this is always a good idea because it avoids various malware threats that can be hidden in images. See Microsoft Knowledge Base Article 307594 for instructions on configuring Outlook 2002 (XP starting with SP1) to open untrusted and unencrypted e-mails in plain text format (Please note that this involves modifying the Windows Registry and should only be attempted by those with extensive knowledge of the dangers involved in registry edits). Microsoft Knowledge Base Article 291387 covers plain-text display in Outlook Express 6.

Besides refusing any WordPerfect 5 format documents, a workaround for the WordPerfect 5 Converter threat is to uninstall the Converter, which is an Office Shared Feature. Note that the problem only lies in the default WordPerfect 5 document format. WordPerfect 5 users can simply save documents in other formats that are not affected.

Final word

Because we are now publishing this column on an expedited schedule, look for any updates to these bulletins in the discussion of this article. The information on these threats was based on the original (version 1.0) bulletin releases.

Editor's Picks

Free Newsletters, In your Inbox