New computer code that exploits a recently disclosed hole in Microsoft Corp.'s Internet Explorer Web browser is circulating on the Internet and could allow remote attackers to take full control of vulnerable Windows machines, according to warnings from antivirus companies and Internet security experts.

Two new "proof of concept" exploit programs first appeared Wednesday, and were posted to Web sites and Internet news groups frequented by security experts. The new code is more dangerous than an exploit for the vulnerability that appeared earlier in the week, since it allows malicious hackers to run their own code on vulnerable machines, instead of just freezing or crashing Windows systems.

The exploits take advantage of a flaw in the way Microsoft applications process JPEG image files, a common format for displaying images on the Web. The first exploit opens a command shell on a vulnerable Windows system when the rigged JPEG file is opened using Windows Explorer, an application for browsing file directories on Windows systems. While that, in itself, is not damaging, a remote attacker could easily add malicious commands to the script that would run on the affected system.

The second exploit, which was published late Wednesday, East Coast time in the U.S., further modifies the attack code to add a new administrator-level account, named simply "X," to affected Windows systems when a JPEG file is opened through Windows Explorer. The account could then be used by the attacker to log in to the machine using standard Windows networking features.

In both cases, malicious commands could only be executed using the permission level of the user running Windows Explorer.

The new exploits could be spread by a virus in corrupted JPEG images sent as e-mail attachments or served from Web sites. In fact, the scripts could be used to dynamically modify JPEG files as they are sent from a Web server, provided the attacker was able to access the Web server sending the images and place the attack script on it.

While the new exploits work when the JPEGs they create are opened in Windows Explorer, they only crash Windows systems when opened in Internet Explorer or Outlook. However, the scripts could be modified to work with most versions of Microsoft's operating system applications.

Microsoft has issued a fix for the flaw. Get it from
http://www.microsoft.com/security/bulletins/200409_jpeg.mspx
Comments
on Sep 27, 2004
Only Microsoft could make a program in which a hacker could use A PICTURE FILE to create an Admin account on your machine and take full control of it.

Yet another reason to use Mozilla Firefox, as if I needed one.
on Sep 27, 2004
How the hell could you put a virus in an image? It's not even an executable! I'm baffled.
on Sep 27, 2004
You are wrong in this case. Linux has the same problem. Everything that uses GDI can be exploited by this bug. Do your research before you start to blindly blame someone.
on Sep 27, 2004
Paxx, this technqiue is known as "cloaking", try google to findout more stuff on it.
on Sep 28, 2004
Tesla, I thought that GDI was a Microsoft technology?
on Sep 28, 2004
It doesn't affect XP SP2. Only Office XP/2003 and older versions of Windows.
on Sep 28, 2004
Paul, it effects XP SP2. Read MS Warning.
on Sep 28, 2004
Reminds me why I use Firefox now.....
on Sep 30, 2004
As far as Operating Systems go, XPsp2 and 2Ksp3 and sp4 don't have this problem. However, if you have Office installed on those machines you'll be in strife if you don't patch. If you have XP and XPsp1 you'll be in trouble (if the exploit hits the web with any force) even without Office.