9.17.2004

New Microsoft Security Updates

This Tuesday, September 14th, 2004 was Microsoft's monthly "Patch Day". The patches for September are a little confusing at first glance - specifically the one related to JPEG image processing. Hopefully this post will clear up any questions you may have about the JPEG vulnerability and the associated patches.

First off, it's frightening that a JPEG image could introduce malicious code to your system. I can't remember how many times I've said jokingly "You can't get a virus from opening an image". I guess the old "never say never" wisdom holds true here.

Unfortunately, the JPEG vulnerability is not only present in the operating system on Windows XP and 2003, but also in Microsoft applications such as Office, Visio, the .NET Framework, etc. All affected applications must be patched or else the system is still vulnerable. In an effort to ease the administrative burdon of deploying these patches, Microsoft has published an article on how to deploy multiple patches using a batch file. See Microsoft KB article 885885 for more information.

Keep in mind that even though Windows 2000 and XP Service Pack 2 operating systems are not vulnerable -- it is highly likely that those systems are running a vulnerable versio nof Office, the .NET Framework, or Internet Explorer. The easiest way to make sure you are protected is to visit the Windows Update and Office Update web sites and have your system automatically scanned for vulnerable components.