News.com Mobile
for PDA or phone
Login: Forgot password? | Sign up

Code exploits Windows flaw in image file handling

By Joris Evers
Staff Writer, CNET News.com
Published: November 29, 2005, 2:53 PM PST
Tell us what you think about this storyTalkBack E-mail this story to a friendE-mail View this story formatted for printingPrint See links from elsewhere to this story (TrackBacks/Pingbacks)TrackBack

A correction was made to this story. Read below for details.

Computer code posted Tuesday can crash vulnerable Windows machines by exploiting a "critical" Windows flaw disclosed by Microsoft earlier this month.

The exploit code takes advantage of a flaw in the way Windows handles certain graphics files. Microsoft provided a patch in November with security bulletin MS05-053 and warned that the vulnerability could create an opening for spyware and Trojan horse attacks.

"Microsoft is aware that detailed exploit code has been published on the Internet for the vulnerability that is addressed by Microsoft security bulletin MS05-053," a company spokeswoman said Tuesday. Microsoft is not aware of any attacks that use the code, she said. The code was posted on various security Web sites.

"Initial investigation of this exploit code has verified that successful exploitation could lead to a denial-of-service attack...not remote code execution," the Microsoft spokeswoman said. With a denial-of-service attack a computer would crash, while remote code execution would mean the attacker has full control over a PC.

The MS05-053 update fixes bugs in the way Windows renders the Windows Metafile and Enhanced Metafile image formats. Microsoft tagged the patch "critical" for all its current operating system versions. The company said that to exploit the flaws, an attacker could craft an image and trick a Windows user into looking at it on a spoof Web site or in an HTML e-mail, for example.

The public release of the exploit code for the image handling flaw comes just days after computer code that takes advantage of another Windows flaw was posted to the Web. The public posting of exploit code could be a sign that an attack is coming, security experts have said.

Microsoft has urged all customers to apply the most recent security updates to protect their systems.

 

Correction: This story incorrectly stated the month Microsoft provided a patch for the imaging flaw. The patch was released in November.

 1 comments
Post a comment

TalkBack

CERT disagrees with M$

Vincent Reis   Nov 29, 2005, 3:35 PM PST

 Read more comments >

Did you know?

Select a tab below to set your default view.

Scan the 15 newest and most read stories on News.com right now. Learn more

Updated: 8:35 AM PST
View as:
Power could cost more than servers, Google warns Intel calls MIT's $100 laptop a 'gadget' Sober code cracked Prize in Indian talent search: A year on Bill Gates' team Creative wants to make Apple pay Garages hold mythic power in Silicon Valley Police blotter: Nude 'profile' yields Yahoo suit Gartner: IT managers should use Xbox A camera that has it all? Well, almost Clogger of P2P networks to shut down Former software chief admits stealing trade secrets How to say 'sick as a parrot' in German Photos: Legendary HP garage gets makeover  Scientific quests: Better bananas, nicer mosquitoes BET promotes ring tone sales with video pop-ups
Legend:
Older
Newer
Larger boxes indicate hotter stories.

Resource center from News.com sponsors

Concerned About Computer Security?

Education is the best defense

Computer security threats are part of daily life. But today's malware techniques present unprecedented challenges for businesses of all sizes. Learn how to protect yourself.

Learn from the experts>>

Daily spotlight

Video: A video slam-dunk

Here's a look at the tech behind those TV and online highlights of pro basketball games, in a narrated video produced by the NBA and Silicon Graphics Inc.

Photos: Gizmos made in Japan

Japan is still a leader in product design and innovation. Here are some new and notable gadgets.

Video: "The power to organize" online

Meetup.com founder and CEO Scott Heiferman says Meetup is spreading beyond America. The service, Heiferman says, is helping "make the world a friendlier place."

Innovations battle natural calamities

Scientists hope integrating cutting-edge technology projects will help predict and mitigate natural disasters.

Debating Wikipedia's open-source label

High Impact The online encyclopedia is a broadly communal effort, but it's not run the same way as open-source software.

Police blotter: Nude 'profile' yields Yahoo suit

Woman says ex-boyfriend posted nude photos and her phone number in a Yahoo Personals profile. She sued for $3 million.

High-tech animation in indies' grasp

Competing with digital toon powerhouses like Pixar isn't easy. But cheaper tech, outsourcing are making it possible.

Ogre to slay? Outsource it to China

Affluent online gamers are paying workers at Chinese game-playing factories to play games' early rounds for them.

Video: The incredible, shrinking glaciers

This NASA-produced video is a dramatic and colorful look at our planet from high above, and the changes that are taking place.

Image: AOL searches for the stars

TMZ.com, AOL's new online magazine promises inside scoops on Hollywood's hottest stars.

Clock's ticking on new Sober onslaught

Mass-mailing worm is programmed to download new instructions in January, which could indicate a new outbreak.

Photos: New animal discovered in Borneo

A creature that looks like a cross between a cat and a fox is photographed in the rainforest.


CNET.com
Copyright ©2005 CNET Networks, Inc. All Rights Reserved. Privacy Policy | About CNET Networks | Jobs | Terms of Use