Quick Search  
Select your language:
English ] 
Home  |  JPEG Committee  |  JBIG  |  JPEG  |  JPEG2000  |  News/Events  |  Press  |  Sponsorship  |  Contact
JPEG Problems in Microsoft's JPEG decoding

A major problem has been identified in the code used in many Microsoft applications, and those using Microsoft's software libraries in how it decodes JPEG images. The problem has been identified in a noteat the web site of the US Computer Emergency Readiness Team , CERT, and affects many applications other than Microsoft's - the CERT site lists many of these.

Nick DeBaggis is credited with its discovery - a recent posting of his provides some further detail.
The JPEG committee cannot emphasize enough how important it is to use properlytried and tested software for processing and displaying JPEG (and other file formats). Insufficient testing and analysis can lead to the type of problem reported, which will expose vulnerabilities in any kind of data processing activity, not just in image display routines.

Microsoft's reaction to the reported problem is available at:
http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
and the reported fix installs a tester, availablefrom the URL
http://www.microsoft.com/security/bulletins/200409_jpeg_tool.mspx

This tester will offer to download patches for the operating system, Internet Explorer, and also analyses Microsoft Office and third party software installations that expose this vulnerability. Please note that the resulting downloads may be upwards of 50 Mbytes. This is --not-- the fault of the JPEG standard, andthe JPEG committeehas --no-- responsibility for either the problem or its suggested solutions. In view of the serious nature of this problem however, we recommend that all users of Microsoft products read the above notices and take appropriate action.

As a result of an increased level of support calls, and of significant misrepresentation in the press, we are making this emergency news release. The JPEG team cannot be expected to offer support on this Microsoft specific issue, and will not respond to individual claims for assistance or resolution of any problems caused by the fixes suggested above.

This is not a "JPEG bug" - http://www.eweek.com/article2/0,1759,1645829,00.asp
or a "JPEG flaw" - http://www.pcworld.com/news/article/0,aid,117776,00.asp

As an example of more accurate reporting, you are referred to an article from the UK's new Scientist magazine, entitled, "Software bug raises spectre of 'JPEG of death' " - http://www.newscientist.com/news/news.jsp?id=ns99996408

Return to the top
2007. Website designed and maintained by Elysium Ltd and 2KAN members
Site usage subject to our terms and conditions
Site sponsors include:
Elysium Ltd