Security experts have discovered a toolkit designed to exploit the recently disclosed Microsoft Exploit-MS04-028, popularly dubbed the “Image of Death”.
The so-called Image of Death is a buffer overflow that can be used by an attacker to craft a special JPEG file that, when viewed on a website, can download and execute malicious code to the victim’s PC.
PandaLabs said it has detected the circulation of a kit, called Constructor/JPGDownloader, for creating JPEG images that exploit Exploit/MS04-028. This kit lets malicious users specify the web page from which all kinds of applications could be downloaded simply when the unsuspecting victim opens the malicious JPEG file.
According to Luis Corrons, head of PandaLabs: “There is no doubt that virus creators will take advantage of the new vulnerability and will try to launch all kinds of viruses that exploit it. In particular, given the nature of the problem, Trojans are a great threat, especially as they can go unnoticed by users but are frequently used by cyber-crooks for online fraud.
“The fact that the files in question are JPEGs is another important factor, as they are so frequently used in web pages or exchanged via email. The scene is changing from one where worms used to pass themselves off as images to one where the image is actually part of the worm”.
ScanSafe reported that it has stopped “numerous” JPEG files containing Exploit-MS04-028. The security firm went on to warn that the problem may still not be solved for users of certain gateway HTTP AV scanners, as many of these do not inspect image files by default. In these cases the vulnerability may still be unprotected unless the user has followed vendor instructions to update the scanning rules.John Edwards, technical director, ScanSafe, said: “Vulnerabilities such as the Image of Death can prove extremely costly to companies if they don’t have the correctly updated defences in place.”