The code was published late last week, only days after Microsoft on Tuesday revealed the "critical" vulnerability and made available patches to fix the problem. Any application that processes JPEG images could be vulnerable. A wide range of Microsoft software, including versions of its Windows and Office products, are vulnerable.
So far only "proof-of-concept" code has been published, which can cause a vulnerable Web browser to crash or a PC to freeze. A fully developed exploit would allow an attacker to take control of a victim's computer by remotely opening a command prompt or downloading and running malicious software, one expert said Tuesday.
"Typically a proof of concept is a first step towards a full blown exploit," said Johannes Ullrich, chief technology officer at The SANS Institute's Internet Storm Center. "It is an indication that people are playing with it and experimenting to try and get it to work for other purposes, typically to open a remote shell or download and execute code."
Microsoft is aware of the exploit code and is investigating the matter, a company spokeswoman said. "Microsoft's early investigation of this code indicates that it can cause a computer that does not have (the patches) installed to stop responding, but it does not execute code remotely," she said.
The link for this article located at infoworld.com is no longer available.
