Don't download that JPEG!

by brian d foy

Related link:

The BBC reports that trojan-horse JPEG images files have made it into the wild. You have to use Windows Explorer to look at them, they say.

Why do we still alow our government to use this operating system?


2004-09-30 15:05:25
That is scary, and I think there's a bit of confusion with the terms Windows Explorer vs Internet Explorer. I do not use IE under any circumstance, but I think it's irrelevant because I use Windows. I think that My Pictures are viewed through Windows regardless of browser. However, I have Windows 98, which I didn't see on the list of the vulnerable. I suspect that using an alternative browser may be creating a false sense of security for Windows users.
2004-09-30 15:12:43
I probably have it mixed up: I'm not a Windows person, certainly.

I am under the impression that Windows Explorer and IE share code and libraries. If someone can elucidate that, I'd appreciate it.

2004-09-30 23:39:43
IE uses Windows system functions all over the place (obviously, it's a Windows application) and Windows uses IE (mainly to render HTML and XML content).

There's no Windows API call to render a JPEG image, so probably Windows explorer uses the IE JPEG renderer for that task.

Remember IE is an integral part of Windows from Windows 98 upwards, removing it disables a lot of functionality of the operating system itself (such as parts of the help system, file preview capabilities of Windows explorer and the active desktop).

Of course Microsoft themselves have had an update available and incorporated in Windows Update since 14 September, over 2 weeks before the BBC cried foul, something the BBC doesn't mention except a very small link in a sidebar titled "related links"...
As usual with Windows the first hint of a possible flaw is the availability of an update that fixes it.

Windows versions prior to Windows XP (pre-SP2) are not affected, though applications installed on them may be.

Official Microsoft announcement and update site: