Experts worry that this new JPEG bug can be exploited through an HTML e-mail, allowing the attacker to run any code allowed under the user's permissions. "Very serious," says one, pointing to the chance of copy-cat attacks. . . .
Microsoft Corp. on Tuesday offered patches for two serious vulnerabilities in its products. One of the security breaches--taking advantage of the action from a tweaked image file--compromises a wide range of Microsoft products, including server and client operating systems as well as applications such as e-mail.

However, this "Patch Tuesday," following the August release of Windows XP SP2 (Service Pack 2), appeared to sidestep concerns over whether Microsoft will provide different patches for XP SP1 and XP SP2 installations. The patches released on Tuesday addressed issues with SP1 and other Microsoft applications.

The more serious of the two vulnerabilities allows a specially malformed JPEG graphic file--when viewed in any of a large number of Microsoft products--to compromise the system, allowing execution of any attack code.

The second also allows remote code execution through a bug in the Word Perfect file converter. Microsoft said both bugs were reported privately to the company and had not been revealed until the release of the patch.

The JPEG bug, an error in the GDI+ Type Library, has the potential for widespread damage, as it can be delivered through an HTML e-mail. Once an exploit of the problem runs on a system, it can run any code allowed under the user's permissions.

The advisory for the JPEG bug lists Windows XP; Windows Server 2003; Office XP and 2003; numerous versions of Microsoft Project; Visio and Visual Studio.NET; and many other consumer and professional products including:

The link for this article located at eweek.com is no longer available.