Finjan Software has exposed a new dangerous exploit that significantly increases the damage potential of the so-called "JPEG vulnerability" which was published by Microsoft on September 16, 2004 (Microsoft’s security bulletin MS04-028).

An attacker can remotely take over a user’s PC by simply having the user browse a web page that contains a malformed image file using Internet Explorer. The previous vulnerability did not expose Internet Explorer to this attack.

As previously reported, Microsoft’s GDI+ JPEG decoder DLL file (gdiplus.dll) contains a vulnerability that allows an attacker to execute arbitrary code remotely on Windows operating systems. In order to be attacked though the user had to obtain the contaminated image file by means of Email, or to otherwise save it to the local disk, and then view the image by one of the vulnerable Microsoft software products.

In other words, the previous vulnerability required some degree of "social engineering" to make the user perform an operation which triggers the attack. Conversely, this new vulnerability affects any Internet Explorer user who merely browses a malicious page.

Note that this same vulnerability affects JPEG image files even if they have been renamed with the following file extensions:
  • .bmp
    .dib
    .emf
    .gif
    .ico
    .jfif
    .jpe
    .jpeg
    .jpg
    .png
    .rle
    .tif
    .tiff
    .wmf
More info: