JPG Processing (GDI+) Bug In the Wild

The potentially very dangerous buffer overflow exploit that recently surfaced has already turned into a proof-of-concept, according to various sources. Symantec describes it thusly:

Hacktool.JPEGDownload is a program that can be used to generate .jpg files that exploit the Microsoft GDI+ Library JPEG Segment Length Integer Underflow vulnerability (described in the Microsoft Security Bulletin MS04-028). The .jpg files that this Trojan generates can download a URL hardcoded in the .jpg file, and are detected by Symantec products as Download.Trojan.

F-Secure's weblog has posted a picture of the program (click on the image for a larger view):



Although there are no known uses in any current malware other than this proof-of-concept program, once an exploit has been used as a proof-of-concept, it typically is not long before it is in the field, so patch up.

It should also be noted that Kaspersky's Exploit.IE.Crashos detection is not related to this vulnerability, and does work in SP2. This can also be activated by using a .JPG file in Internet Explorer and has generated some concern. When and if Kaspersky publishes information on this detection, it will be posted.