Reported September 14, 2004, by Microsoft

VERSIONS AFFECTED

  • Windows Server 2003
  • Windows XP
  • Microsoft Office 2003
  • Microsoft Office XP
  • Microsoft Project 2002 and 2003
  • Microsoft Visio 2002 and 2003
  • Microsoft Visual Studio .NET 2002 and 2003
  • Microsoft Windows .NET Framework 1.0 SDK Service Pack 2
  • Microsoft Picture It! 2002 versions 7.0¬†and 9
  • Microsoft Greetings 2002
  • Microsoft Digital Image Pro versions 7.0 and 9
  • Microsoft Digital Image Suite 9
  • Microsoft Producer for Microsoft Office PowerPoint
  • Microsoft Platform SDK Redistributable: GDI+

DESCRIPTION
A buffer-overrun vulnerability in the processing of JPEG image formats could allow remote code execution on a vulnerable system. Any program that processes JPEG images on the affected systems could be vulnerable to this attack, as could any system that uses the affected programs or components. A potential attacker who successfully exploited this vulnerability could take complete control of an affected system.

VENDOR RESPONSE
Microsoft has released security bulletin MS04-028, "Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)," to address this vulnerability and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

CREDIT
Discovered by Nick DeBaggis.