Update - How to deal with the threat of JPEG (JPG) files with viruses

My longtime friend and customer, David Ingram, jumped on the wagon and sent this reply to my previous missive on the newly found vulnerability in Microsoft's Windows XP JPEG rendering engine:

>Okay - you win - how do we set everything up and get rid of most of

>the threat

>ingram

Before I start I'll note that there are now several sites with sample code that can take advantage of this vulnerability and it is estimated that real exploits will be out in hours or days!

The first thing to understand is that so far only Windows XP (and Windows 2003 Server but I don't think any of my customers are running it) without the SP2 update, and programs that use its JPEG rendering engine (Internet Explorer, MS Word, Outlook, etc.) have this particular vulnerability. For a full list of the vulnerable systems you can go to: www.securiteam.com

For most people with Windows XP, the easiest fix is to download and apply the SP2 update. There is a link on the above page to this and other updates such as for MS Office 2003 and Office XP.

Note that the SP2 update is several hundred megabytes so you had better have a fast connection. Microsoft will eventually ship this update on CD but for now it is only available via download.

The problem is that it is possible to run some of the affected software (that normally runs on XP) on prior versions of Windows, so if you are running on Windows 2000 or NT, 98, 98SE, or Me and have installed one of the software suites such as Office XP or Office 2003 or one of its components such as MS Word, then you need to go to Microsoft's Office Update: office.microsoft.com for Office. If you are using any of the development tools you probably will know where to go for updates (but then you probably already know more about this than I do ;)

The one other item that is affected that you may have on an older system is Internet Explorer 6 with service pack 1. There are far more details on the above noted Securiteam.com site.

What it all comes down to is that if you use Microsoft's software, you should be visiting the update site for it now to get any security updates.

For many people and businesses, it is probably fine to download and enable the automated updater that Microsoft has created. You should contact your local computer administration people (if they are anybody other than me or my associates) to confirm that this is OK as there are some third-party software systems that can have problems if this is done. Most consumer software won't have a problem but "your mileage may vary".

Of course you can always switch to Linux, or at least to Mozilla and Open Office on your Windows system as well as other Open Source software that is equivalent to what you're using on Windows.