Operating System » MS Windows » MS Security » Alert: MS Security Bulletins » Sep 2004 Microsoft Security Bulletin: » JPEG Exploit Exploitation

JPEG Exploit Exploitation

The following are 3 scenarios that could lead to an advanced exploitation of the JPEG exploit that began to strike in October:

  1. Email Attachment - Emails with infected JPEG attachments may not be identified by desktop antivirus solutions because they rely on file extensions and MIME types to identify images.
  2. Image on a Web Page - Most gateway security solutions do not inspect JPEG files in HTTP and FTP - if they do inspect these files, it significantly impacts performance. Links to the infected Web pages can also propagate in email worms, instant messenger worms, IRC worms, etc.
  3. Email with a Linked Image - An attacker or spammer sends an email containing an HTML image link to a JPEG containing malicious code. The JPEG itself resides on a Web server and is automatically downloaded via HTTP when the email is viewed or previewed. The code is executed the moment the image is viewed or previewed in Outlook or Outlook Express. It is important to note that infected images could reside not only on Web servers prepared by attackers, but also on previously infected computers which are now turned into slim Web servers or on infected Web servers. This is similar to Nimda and other worms that infected Microsoft IIS Web servers.

Organizations adopt the following six action steps to reduce the chance of this threat occurring:

  1. Don’t rely on SMTP or internal mail server content inspection. A complete solution must be a gateway solution and must inspect HTTP and FTP in addition to SMTP.
  2. Identification of JPEG files should not rely on extensions, or content type, to prevent spoofing.
  3. JPEG files should be inspected packet-by-packet in real time to eliminate latency. Users should not have to wait until the entire file is downloaded and inspected by the proxy.
  4. All parts of the JPEG file must be fully inspected before being released to the client. Solutions cannot rely on partially releasing non-inspected content.
  5. The gateway solution must not pose any delays and timeouts or create any visible impact on users’ browsing experience - either when cached JPEG files are delivered or when new images are downloaded.
  6. For hosted web sites that allow file uploads, inspect all uploaded JPEG files.


Updated On: 15.02.13

Leave your message, comment or feedback:
Your Name (shown) & Your E-mail (hidden) is used only to alert you when someone reply your message.