MS Windows image exploit?

[mastamper]

The I.T. department where I work sent all of us an email today quoted at the end of this post containing information about a Microsoft flaw with images.

Am I at risk viewing images people have uploaded here or do you have a way of scanning them before they are uploaded?

(What will I do if I can't browse SCS while I wait for a new Microsoft update?????)

"In recent days, the computing security community and Microsoft have confirmed the existence of a flaw in the way that Microsoft products handle and process image files. This flaw exists in many products (Windows 95 through XP) utilized here. Most consumer desktops (e.g., your home computer) are affected as well.

Microsoft has NOT released a patch for this flaw but is actively working on a solution. Until a patch is released and installed, we recommend that you practice the following safe computing rules:
Do not open e-mail from individuals or sites that you do not recognize.
Do not click on or open image file attachments that you have not requested.
Limit your Web surfing to sites that you know and trust. Trusted commercial Web sites are not likely to have malicious images that exploit the flaw.
Disable Google desktop search. There are reports that Google's desktop search tool can trigger the image flaw if you happen to have a malicious image file on your computer.
Keep your virus scanning software up-to-date and active."

[splitcoaststampers]

I find these kind of warnings annoying, because they generate FUD (fear, uncertainty and doubt) in far greater measure than they ever deserve.

some of the above is good advice in any case (virus software up to date, etc.) and some of it is alarmist nonsense. just my opinion of course, and nothing against your IT dept.

as far as SCS goes, any image uploaded here should not be of any risk to you, because each one gets "laundered" as part of the upload process. when an image is uploaded, the gallery software re-saves the image in order to assure that it's not too large, to optimize the file size, etc. Any problem with the original image would be eliminated when the file is re-saved.

no worries!

[mastamper]

Thanks for the quick reply, Daven!

In defense of our Chief Technology Officer, we have gotten bitten pretty bad in the past because of careless users. I work at a large university medical center and their best option of protecting all of us (and our huge room of servers) would be to restrict internet access to internal-only web sites like other corporations have done.

But that would mean no SCS browsing - er, I mean searching for medical research information!

Whew! Glad I won't have to go through SCS withdrawal although the forums might have tided me over for awhile.

[splitcoaststampers]

you're right, it's perfectly understandable that IT people would be protective of assets like the network infrastructure of a large organization. hope I didn't come across too strongly, and cool to hear where you work.

I just tend to under-react to things like this. the mere fact that a flaw exists *doesn't* mean that there's something out there that actually exploits the flaw. many times these kind of things get announced and fixed without there ever being any harm done.

so to say that "your home computer is affected" is a little misleading. kinda like saying your and my neighborhoods are affected by herds of wild marauding elephants. well yes, it would be extremely risky for us to go outside in the event that wild elephants visit our neighborhoods, that's true. but until barnum & bailey are actually in town I'm probably not gonna worry about it too too much.

there are organizations out there who's sole mission is to research and map these types of security flaws, and they make a name for themselves when they find and report them. maybe it's like the bird flu thing. should I be worried about that?

[mastamper]

In case anybody else is interested, Microsoft released the patch this evening to address the flaw.