A major problem has been identified in the code used in many Microsoft applications, and those using Microsoft's software libraries in how it decodes JPEG images. The problem has been identified
in a note at the web site of the US Computer Emergency Readiness Team , CERT, and affects many applications other than Microsoft's - the CERT site lists many of these.
Nick DeBaggis is credited with its discovery - a recent posting
of his provides some further detail.
The JPEG committee cannot emphasize enough how important it is to use properly tried and tested software for processing and displaying JPEG (and other file formats). Insufficient testing and analysis can lead to the type of problem reported, which will expose vulnerabilities in any kind of data processing activity, not just in image display routines.
Microsoft's reaction to the reported problem is available at: http://www.microsoft.com/technet/security/bulletin/MS04-028.mspx
and the reported fix installs a tester, available from the URLhttp://www.microsoft.com/security/bulletins/200409_jpeg_tool.mspx
This tester will offer to download patches for the operating system, Internet Explorer, and also analyses Microsoft Office and third party software installations that expose this vulnerability. Please note that the resulting downloads may be upwards of 50 Mbytes. This is --not-- the fault of the JPEG standard, and the JPEG committee has --no-- responsibility for either the problem or its suggested solutions. In view of the serious nature of this problem however, we recommend that all users of Microsoft products read the above notices and take appropriate action.
As a result of an increased level of support calls, and of significant misrepresentation in the press, we are making this emergency news release. The JPEG team cannot be expected to offer support on this Microsoft specific issue, and will not respond to individual claims for assistance or resolution of any problems caused by the fixes suggested above.
This is not a "JPEG bug" - http://www.eweek.com/article2/0,1759,1645829,00.asp
or a "JPEG flaw" - http://www.pcworld.com/news/article/0,aid,117776,00.asp
As an example of more accurate reporting, you are referred to an article from the UK's new Scientist magazine, entitled, "Software bug raises spectre of 'JPEG of death' " - http://www.newscientist.com/news/news.jsp?id=ns99996408