For criminy’s sake, how the hell could opening a JPEG file constitute a security risk?
Well, it can if you do using Micro$oft software. Crikey.
Users opening a file or viewing a specific image could be at risk if a hacker exploits the flaw and tries to gain access to a PC.
“The vulnerability could only be exploited by an attacker who persuaded a user to open a specially crafted file or to view a directory that contains the specially crafted image,” Microsoft said in a statement. “There is no way for an attacker to force a user to open a malicious file.”
Right. So now, thanks to M$, we can teach all of our less computer-literate friends and relatives to be scared of picture files, too. Yeesh.
UPDATE: The Reg provides more details. Basically it sounds like the old standard buffer overrun flaw.
The JPEG bug rounds out a growing menagerie of vulnerabilities in code that displays image files. Mozilla developers last month patched the open-source browser against a critical hole discovered in a widely-deployed library for processing PNG images. And last July, Microsoft simultaneously fixed two image display holes in Internet Explorer: one made users potentially vulnerable to maliciously-crafted BMP images, the second to corrupt GIF files. The GIF bug had been publicly disclosed 11 months earlier.
Maybe we should all just go back to terminals with glowing green letters …
CERT has a more thorough explanation.
The BBC has picked up on this problem and their article on it says that Virus writers are working on exploiting this bug RIGHT NOW!. I guess even the Beeb tends to turn things into a crisis.