Attached Link: http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx

This one definitely bears reading. Summary: This update resolves a newly-discovered, privately reported vulnerability. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in this bulletin in its own section. If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges. Microsoft recommends that customers apply the update immediately. Details provided at attached link.

good news is, if you've installed Service Pack 2 for XP your're in the clear on this one.. (just checked the bulletin)

I haven't though. I know too many people who lost their hard drive or couldn't boot or any number of horrors, so I'm holding off. :( I did install the patch for this one, though. bonni

Thanks bonni! I was doing a quick read tonight in one of the CG magazines at Borders just as they were closing...(not sure which mag..Computer Arts, 3D World,.. but one of the more popular ones). It was saying that a script based (Java) virus is being used in Jpeg image files, and that sites that allow uploads,need to take extra precautions. I did a little fast research online about Jpeg virus, and at one point in time,the thinking was even if a script was imbedded, it still needed a Trojan type .exe on a machine to do any damage. Seems like that has now changed, as this new script can do the damage all by itself. Came here to see if anybody else knew about this,and find bonni already on the ball. Getting that patch right now! I think this is a very important issue Renderosity, as well as all Graphic sites better look into ASAP!!!! SWAMP

Which update, there are a few on that page...?

Attached Link: http://support.microsoft.com/default.aspx?scid=kb;EN-US;873374

Any and all that pertain to the OS and software you have installed on your machine. Like if you have Windows XP sr1,Word 2002,and Microsoft Greeting,you will need to DL three patches. To make it easy,first DL and install the patch for your version of XP,or Server2003 (XP with the the new SR2 is not effected). Then go to this link and DL the GDI+ detection tool,which will tell you if you have anything else that needs to be patched. SWAMP

I can't believe this! Only in Microsoft's world is possible jpeg images with virus! The most secure and stable Windows is Win95 first edition, newer version, worst and more unsecure, good luck XP users and pray to God, maybe the faith saves you.......

Only in Microsoft's world is possible jpeg images with virus! Well, the term "email virus" used to be quite literally a JOKE. It was impossible for a virus to be spread via email, back in the day. How nice of Microsoft to provide that functionality for us. :-) bonni

So, do we have to get the sp2 in order to have this patch? or can we use what we have...I am running XP sp1, and def do NOT want sp2.

No, you can get just the patch for this. That's what I did. I don't want to install sp2 until they've fixed it. ;-) I just went to the Windows download site and chose the "custom install" or whatever they call it, and picked the updates I wanted. bonni

Ahhh okies ;) Thanks!

I'm on Win2000 and I don't even want XP, never mind about its sp2. Do I need to download this patch?

No,the Win2000 OS "itself" is not effected,and does not need to be patched. However you CAN STILL HAVE software/programs that are effected that will need to be patched (like Office,Word,PictureIT,etc.). Read what is listed on the site bonni linked to. If you are still not sure, DL the GDI+ detection tool which will search your system and inform you if you do have any of the software that can be effected. (I already gave you that link above). SWAMP

bonni: i received the sp2 update as an automatic download.... and i let it install itself (not knowing any better). it's fine - except that it wants to over-ride my native security package with its own.... (and i have a "peculiar" configuration on my home use PC - with many custom scripts and patches which i do not understand.)

Message edited on: 09/15/2004 09:35

Thanks Swamp.

bonni --

Thanks for the heads-up.

I've got SP2 installed on my machines at home.....the install went as smooth as a glass sea....no problems at all.

On the other hand, one of my co-workers at the office had severe problems resulting from the installation of SP2 on his machine. So, I haven't installed SP2 at the office yet.

I'll install this security patch.

Thanks again.

elizabyte...which specific patch was that you installed?

...edited for spelling

Message edited on: 09/15/2004 12:34

Installed the Windows XP sr1 patch. The GDI+ detection tool still says I am running software that may contain a security vulnerability even though I have NONE of the other programs listed. Perish the thought that they should provide a tool that tells you which program needs to be patched. Long live the evil microcrap empire. sarcasm

Damn it's easy to cause a buffer overrun on Windows systems. Until now we've seen tons of little patches for IE, Media Player, Outlook Express, Winamp etc. to prevent buffer overrun, but finally it looks like there's going to be protection from that kind of exploits on hardware (CPU) level. Which of course means even if the software is vulnerable the CPU won't let the buffer overrun happen. Anyway, it's good to be on Linux (though I still use Windows too). A couple of months ago there were some serious attempts to hack some Linux servers using ssh. Well, that wasn't very successfull as the hacking scripts were trying to guess the root password. If that's the best way to break into a Linux system I feel pretty safe.

...wait. I only have Linux and OSX.... ne'ermind >:) /P

Pen...you mean to tell me that they now have Poser for Linux??

Unfortunately there's no Poser for Linux, which is one of the few reasons I'm still using Windows. But as Peng found out Crossover Office (a Windows emulator for Linux, uses Wine but supports a wider range of apps) can run DAZ Studio. One can also run a whole Windows OS under Linux, with software like VMware, Win4Lin or Bochs. Even Poser will work then, but that requires an installation of a real Windows.

"Even Poser will work then, but that requires an installation of a real Windows." Will Microsoft be releasing that any time soon, now that they've had all these practice versions out for so long?

As long as I'm not a Linux user, I've dowloaded the update...Thank you for the link!

Well this is confusing, but will look into it... I use win2kpro SP4 full updated.. and hate word so don't have that..but what does word have to do with jpgs? I of course have paint programs and make jpgs all the time! Sheesh what a world we live in!

One question about the latest patches from Microsoft - that "fix" this problem. How many new vulnerabilities do they install on your system?

The bug is in GDI+, which is .NET specific. If you don't have the .NET framework installed (most users don't have it) you're safe. Doesn't matter what Windows version you run.