This comes from Paul Phillips, who, in addition to being one of the world’s best poker players, is also a computer wizard. He’s also not a guy prone to overstatement, so I’m just going to copy it here because I think this is very, very important and I want to hammer home the point to everyone who might read this page – update your Windows software:
The end is near: JPEG exploit proof of concept
It will be a bug like this that will take the whole world down. For the less computery types: a bug in all versions of windows prior to XPSP2 makes it possible for the bad guys to take over a windows machine if you just view a specially crafted graphics file. A public exploit to do just this has already been published.
That means anyone who uses the web, anyone who reads graphics-enabled email, really anyone who uses the network at all is vulnerable to total compromise.
Security people have long feared the appearance of a “zero day” worm, a worm that propagates at maximum speed and exploits a widely unpatched vulnerability. The large majority of the internet, including millions of machines that cannot be reached directly, could be under the control of one or a few people in hours or even MINUTES. Imagine the first thing the worm does after taking over a machine is insert itself in all the HTML documents it can find and email itself to every address it can find.
There are many many companies that are reasonably well firewalled from direct attack from the outside, but where people use windows machines internally to use the Internet. Bam, they’re dead. And once one machine is infected it can attack all the others from the inside of the network, which is much easier.
You can’t even conceive of how bad it could get. Once it’s loose it will be impossible to reign in. Thousands of companies, government agencies, even military branches could be completely paralyzed, all their internal data compromised. Very few institutions would be safe.
I think this is one of the greatest dangers facing the civilized world today. No joke. But people won’t believe it until it happens. Imagine all the fears about Y2K amplified dramatically, but this is much more real than Y2K. Y2K was a very speculative concern because nobody really knew how vulnerable we were. But there’s no question about how widespread unpatched windows systems are.
What he is referring to is a report that it has now been shown that a specially crafted JPEG image can contain executable commands when viewed using an unpatched Windows system. That means a virus can hide in a picture. Every single webpage that you look at contains jpeg pictures, probably hundreds of them. That means that merely by viewing a webpage, or a picture someone sends you in email, or even by sending you an email without something you recognize as a picture (the background of Outlook stationary is a JPEG file, you just don’t know it), you can get a virus on your computer. This is very, very dangerous. You no longer have to open an attachment to get infected.
If you’re running Windows XP, make sure you have the newly released Service Pack. If you’re running any other windows system, make sure you’re accepting every security update that Microsoft releases to keep up on the patches that fix these types of vulnerabilities. And if you’re not running a virus scan program that blocks viruses in real time, not just when you run a full system scan, get it now. If you don’t wanna pay for it, go to www.grisoft.com and download AVG, a free antivirus program that works quite well. Paul is right, this new discovery makes us much, much less secure in an almost limitless number of ways.