From an email to the Bethel community on September 24, 2004:

ITS want you to be aware that a serious Windows security exploit attack is imminent ... Your action is required.

We know the information below may seem overwhelming, but inaction is not an option! We ask that ALL students using a Windows operating system patch their system immediately. Please contact us at x6500 if you have any questions. Thank you.

Exploit Details

This security exploit involves a flaw in how Windows opens JPEG images. It allows a malicious person to run their own code by merely viewing images on your computer or visiting a webpage. Viruses have already been found on the internet that use this exploit to take control of a computer. While the current versions have been somewhat limited, computer experts say that it will only be a matter of time before a rapidly-spreading version is released.

Who is vulnerable?

Just about everyone who uses a Windows system. The following products are known to be vulnerable.

• Windows XP
• Windows XP Service Pack 1 (SP1)
• Windows Server 2003
• Internet Explorer 6 SP1
• Office XP SP3
  Note: Office XP SP3 includes Word 2002, Excel 2002, Outlook 2002, PowerPoint 2002, FrontPage 2002, and Publisher 2002.
• Office 2003
  Note: Office 2003 includes Word 2003, Excel 2003, Outlook 2003, PowerPoint 2003, FrontPage 2003, Publisher 2003, InfoPath 2003, and OneNote 2003.
• Digital Image Pro 7.0
• Digital Image Pro 9
• Digital Image Suite 9
• Greetings 2002
• Picture It! 2002 (all versions)
• Picture It! 7.0 (all versions)
• Picture It! 9 (all versions, including Picture It! Library)
• Producer for PowerPoint (all versions)
• Project 2002 SP1 (all versions)
• Project 2003 (all versions)
• Visio 2002 SP2 (all versions)
• Visio 2003 (all versions)
• Visual Studio .NET 2002
  Note: Visual Studio .NET 2002 includes Visual Basic .NET Standard 2002, Visual C# .NET Standard 2002, and Visual C++ .NET Standard 2002.
• Visual Studio .NET 2003
  Note: Visual Studio .NET 2003 includes Visual Basic .NET Standard 2003, Visual C# .NET Standard 2003, Visual C++ .NET Standard 2003, and Visual J# .NET Standard 2003.
• .NET Framework 1.0 SP2
• .NET Framework 1.0 SDK SP2
• .NET Framework 1.1
• Platform SDK Redistributable: GDI+

What should you do?

Visit Microsoft's security bulletin on this exploit and follow the instructions provided there.

Bethel ITS recommends that all students install Windows XP Service Pack 2 (SP2) as soon as possible if the have not yet done so. Windows XP with SP2 is by far the most secured desktop Windows operating system to date. Nevertheless because of this specific vulnerability, you may still need to patch Microsoft Office and other applications in addition to installing SP2. Please note that antivirus software alone will not protect your computer against this security exploit.

Bethel ITS has published important information about installing SP2.

What if you wait?

Waiting is not an option. Even if you have current antivirus software, your computer is still vulnerable to this exploit. In a worst case scenario, your computer will require reformatting and all data will be lost. You will also lose your network privileges until you can verify your computer is no longer infected. Finally, you may contribute to a large-scale long-term network outage. If enough computers become infected on the campus network, the network can become overwhelmed and fail for an extended period of time.

More Information

Hackers Target Microsoft's JPEG Flaw

Associated Press
In a harbinger of security threats to come, hackers have exploited a newly announced flaw in Microsoft Corp. programs and begun circulating malicious code hidden in images that use the popular JPEG format.

Danger of Image-Borne Viruses Looms

By Brian Krebs, washingtonpost.com Staff Writer
Hackers are close to finding a way to spread harmful computer viruses just by getting people to open an e-mail message or visiting an infected Web site, computer security experts warned yesterday.

JPEG Exploit Toolkit Spotted Online

By John Leyden
A toolkit designed to exploit a recently-disclosed Microsoft JPEG vulnerability has been released onto the net. The toolkit ... makes it trivially easy for maliciously-minded attackers, however unskilled they might be, to exploit unpatched Windows systems and run malicious code.