-- Update September 28, 2004 --
The 4395 DAT files no longer require that McAfee anti-virus products are configured to scan with program heuristics enabled to detect this threat.
-- Update September 22, 2004 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
-- Update September 18, 2004 --
AVERT has received numerous JPEG files that are detected as Exploit-MS04-028. These JPEG files do not appear to have been designed to be malicious, but instead coincidentally contain code similar to proof of exploit code circulating and do result in applications crashing in a similar fashion to those JPEGs built to demonstrate exploitation of the vulnerability. The JPEG files in question are malformed, but do not contain any payload (code execution resulting from buffer overflow occurring).
-- Update September 17, 2004 --
The 4393 DATs were released due to high customer demand to provide a broader solution to cover this threat. The gateway/mail server dependency has been removed and all scanners that use the 4393 DAT files can enable detection. The 4393 DAT files require that McAfee anti-virus products are configured to scan with program heuristics enabled and that all files are scanned (an alternative to scanning all files is to add .JP? to the extension list). However, AVERT strongly
recommends that users scan all files
rather than use the default extension list as this exploit is not restricted to files that use .JPG or .JPEG file extensions.
-- Update September 16, 2004 --
Due to the serious nature of the vulnerability targeted by this exploit, and the release of demo exploit code, the 4392 DAT file were released early to allow for detection of this threat when using McAfee gateway and/or email scanning products while scanning all files with program heuristics enabled.
This detection is for JPEG files intended to exploit the recently announced vulnerability described in Microsoft Security Bulletin MS04-028
For further details about the vulnerability, and links to the Microsoft patches, click on the following link: