X

JPEG exploit could beat antivirus software

Security experts say attacks using image files could bypass established defenses.

2 min read
Antivirus software could be ill-prepared to protect corporate networks from the latest Windows vulnerability--innocent-looking JPEG files that contain security attacks.

According to Mikko Hypponen, director of antivirus research for F-Secure, antivirus software will strain to find JPEG malware, because by default, it only searches for .exe files.

"Normal antivirus software, by default, will not detect JPEGs," Hypponen said. "You can set your antivirus scanner to look for JPEG, but the trouble is that you can change the file extension on a JPEG to so many things."

There are about 11 file name extensions to which JPEGs can be changed, including .icon or .jpg2. Hypponen said this would make finding malicious JPEGs even more difficult; searching could take up a significant amount of valuable processor power.

Internet Explorer processes JPEGs before it caches them. That could also mean that desktops may become infected before antivirus software has a chance to work.

"This means that it is not enough to scan at the desktop," Hypponen said. "You have to scan at the gateway, but this will put a huge load on your bandwidth."

Hypponen said he expected a virus attack using the exploit to occur soon: "There has been so much interest in this vulnerability that someone is bound to do this. But saying that, there was a similar vulnerability found two months ago in bitmaps, and no one has exploited that yet."

Word of code that exploits the way Microsoft Windows processes JPEGs was posted in recent days to the Internet newsgroup EasyNews. Hypponen wrote on the F-Secure Web log that the exploit was not a virus because it had no way of spreading. In order for the code to infect a machine, a user must download the image it purports to be and view it in Windows Explorer.

On Tuesday, Microsoft hit back at critics over its handling of the vulnerability.

"Microsoft does not consider this a high risk to customers, given the amount of user action required to execute the attack, and is not currently aware of any significant customer impact," the company said in a statement. "We will continue to investigate the situation and provide customers with additional resources and guidance, as necessary."

Dan Ilett of ZDNet UK reported from London. CNET News.com's Rob Lemos contributed to this report.