From:         Patrick Douglas Crispen 
Subject:      Tourbus - 23 Sep 04 - Closing Microsoft's JPEG Processing Vulnerability

TODAY'S TOURBUS TOPIC: Closing Microsoft's JPEG Processing Vulnerability

The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved

Howdy, y'all, and greetings once again from deep behind the orange curtain in beautiful Irvine, California, the last Catholic monarch to reign over England, Scotland or Ireland.

TOURBUS is made possible by the kind support of our sponsors. Please take a moment to visit today's sponsors and thank them for keeping our little bus of Internet happiness on the road week after week.

On with the show...

I need to apologize to our Mac users. Today's post focuses solely on a Microsoft security problem that promises to become a big issue over the next couple of days. I hope you don't mind.

Microsoft Security Update Audience: All Windows Users [sort of]

Last week I mentioned that Microsoft released a series of patches that [hopefully] closes a rather nasty security hole in how Microsoft products process JPEG images. Affected Microsoft products include:

  • Windows XP and XP SP1 [but not SP2];
  • Internet Explorer 6 SP1;
  • Microsoft Office XP [Outlook, Word, Excel, PowerPoint,
  • FrontPage, and/or Publisher]; and/or

  • Microsoft Office 2003 [Outlook, Word, Excel, PowerPoint,
  • FrontPage, Publisher, InfoPath, and/or OneNote]

    Even more discouraging is the fact that patching this hole is more complicated than usual in that it involves updating both Windows *AND* Microsoft Office, something few people know how to do.

    I also mentioned in an earlier post that when Microsoft releases any new security patch an unintended consequence is that the bulletin announcing the patch also announces that vulnerability to crackers. Crackers count on the fact that you won't get the patch--your computer will continue to be vulnerable.

    Well, our friends at [.com] announced yesterday that

    A sample program hit the Internet on Wednesday, showing by example how malicious coders could compromise Windows computers by using a flaw in the handling of a widespread graphics format by Microsoft's software.


    What does this mean in English? Well, in your fearless bus driver's humble opinion, Microsoft's JPEG processing vulnerability is moments away from becoming the next big computer security threat, one from which your antivirus and firewall may not protect you. Last week's bulletin is literally this week's exploit.

    Hence today's [repeated] post.

    Fortunately, despite what the media is going to tell you over the next few days, there's no need to panic. Closing this hole is a snap. You just have to follow a few, simple steps.

    ------- XP SP2? -------

    If you have already upgraded your computer to Windows XP Service Pack 2 [XP SP2], stop reading. The JPEG processing vulnerability patch is
    built into XP SP2. Your computer is already protected.

    But, if you haven't yet upgraded, DON'T! Not yet anyway. While XP SP2 does fix Microsoft's JPEG processing vulnerability, it could introduce a whole host of other problems to your computer that you just don't want to deal with today.

    Don't get me wrong, you *NEED* XP SP2. Just not today. My recommendation is to wait until after Halloween. In fact, some time in early November I'll write a Tourbus post showing you, step-by-step, how to upgrade to XP SP2 safely and easily.

    For now, let's focus our attention back on Microsoft's JPEG processing vulnerability. When you try to run Windows Update on a computer that doesn't yet have XP SP2, the only critical update Microsoft shows you is--you guessed it--XP SP2. You don't even have the option of getting the patch that closes the JPEG processing vulnerability.


    What you need to do is tell Microsoft to hide their XP SP2 upgrade from your computer for a while. To do that, just point your web browser to

    and download Microsoft's free "XP SP2 Blocker Tools." These free tools temporarily keep Windows Update from automatically installing XP SP2 onto your computer until April 13, 2005. [I'll show you how to unblock this in an upcoming Tourbus post.]

    Before you can download the XP SP2 Blocker Tools, Microsoft asks you to voluntarily validate that you are running a licensed, non-stolen copy of Windows. Click on the continue link in the yellow bar and you are taken to a page where you are asked to give Microsoft permission to check your license of Windows. Even if you say no, you'll still be able to download the XP SP2 Blocker Tools.

    Once you're past the validation page,

    1. Click on the Download link on the right side of the page.

    2. When asked if you would like to open or save
    [XPSP2BlockerTools.EXE] to your computer click on the Open button.

    3. Click on the Yes button to agree to the [five page, two
    thousand word] end user license agreement.

    4. When asked to type the location where you want to place the
    extracted files, click on the Browse button.

    5. Scroll to the top of the list, choose your Desktop, and click
    on the OK button.

    6. Click on the OK button again to extract the files.

    7. Close your web browser and any other open program.

    8. On your desktop you will see five new icons. Double-click on
    XPSP2Blocker. A window will open telling you that the Action [was] successfully completed, and the window will automatically close after 5 seconds.

    9. Feel free to delete those five new icons from your desktop.
    You won't need them again.

    That's it. Windows Update won't try to install XP SP2 onto your computer until mid-April. And, better still, you can now see the critical updates that Microsoft has been hiding from you.

    Getting the patch

    To get the JPEG processing vulnerability patch:

    1. Run Windows Update by going to Tools > Windows Update in
    Internet Explorer. Click on "Scan for updates." Then just install ALL of the critical updates available for your computer by clicking "Review and install critical updates." You may need to restart after you install the critical updates, and remember to always rerun Windows Update until it tells you to go away.

    Most people will stop here, thinking they have successfully protected their computers from this new JPEG processing vulnerability. And most people will be wrong. You still have two more steps to go.

    2. Run Office Update by going to and clicking on "Check for updates." Since the JPEG processing vulnerability is in both Windows *and* Office, and since the older version of Windows Update doesn't automatically scan Office for updates, the only way--well, actually, the *easiest* way--to get the latest critical updates for Microsoft Office is to manually go to

    Have your Office installation CD-ROM nearby. Microsoft may want to "sniff" your disk to make sure you actually own a licensed copy of Office. But what if you can't find your Office installation disk? Unfortunately, you're hosed. You are going to have to borrow a disc from a friend. No disc, no Office update. And this JPEG processing vulnerability is so nasty that you NEED to update Office as soon as possible.

    3. The third and final step is to, in Internet Explorer, go to and click on "Check for Affected Imaging Software." This scans older versions of Windows to make sure that you don't have any Microsoft imaging software hiding on your computer that is also vulnerable to this JPEG processing vulnerability.

    Remember, running Windows Update is only one-third of the patch process, and you may need to hide XP SP2 before you can even do that. Once you have the patch, you also need to run Office Update and [if you are running an older version of Windows] have Microsoft scan your imaging programs.

    Then sit back, grab a bag of popcorn, and watch the show as the JPEG processing vulnerability takes down everyone's computer but yours.

    Tivo now $50

    Back on September 9th I mentioned that Tivo had cut the price of an entry-level digital recorder to US$99.00 after a $100 rebate. [See if you missed that post.]

    Well, Circuit City is now selling brand new, 40 hour series 2 Tivos for only $49.99 after a $100 rebate. A new Tivo for FIFTY BUCKS! It doesn't get any cheaper than that, folks.

    Check out either TCD24004A-/sem/rpsm/oid/69130/rpem/ccd/


    for more information. And if you sign up for Tivo, when they ask you who referred you, type in

    Why? Well, as I mentioned on the 9th, if you buy a TiVo box and subscribe to the TiVo service, Tivo is going to reward me with free schwag. My goal is to get so many people signed up that I can give free Tivos to everyone on the planet.

    Seriously though, if you've been thinking about getting a Tivo, now is the time to do it. Even if you don't tell them I sent you. :)

    The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
    Copyright © Bob Rankin and Patrick Crispen - All rights reserved

    That's it. Have a safe and happy weekend, and we'll talk again soon!

               .~~~.  ))
     (\__/)  .'     )  ))       Patrick Douglas Crispen
     /o o  \/     .~
    {o_,    \    {    
      / ,  , )    \  
      `~  -' \    } ))    AOL Instant Messenger: Squirrel2K
     _(    (   )_.'
    ---..{____}                  Warning: squirrels.

    Microsoft JPEG Processing, viruses, hoaxes, urban legends, search engines, cookies, cool sites
    TOURBUS Site Search