Picture This: Image Files Are Latest Security Hole

The Internet has more than four billion Web sites, each of which probably has at least five images on it, for a total of more than 20 billion image files. That now means 20 billion new ways to get a virus.

That's because attackers have found a way to use image files with .JPEG extensions to exploit unpatched Windows computers. Other image extensions are potentially vulnerable as well, but .JPEG is the most common.

"Ducky," as one of the iterations is called, targets a vulnerability in the graphics device interface (GDI), which is a Windows component that renders images. At risk are dozens of software programs that use GDI, including all the Microsoft Office applications.

"The vulnerability allows someone to make a malicious JPEG image, modify it, and create a corrupt version that would allow code to be run on your system," says Oliver Friedrichs, senior manager with Symantec Security Response. "Someone could install malicious software, a virus, or a worm on your system through one of these JPEG images."

A user has to click on a specially crafted image file for the infection to occur, but attackers are finding ways to facilitate this, says Dan Schrader, director of product marketing for FaceTime Communications, which creates products that secure instant messaging and peer-to-peer applications.

Schrader says there is a proof-of-concept virus that exploits the flaw. "You clicked on an image attached to an instant message, and that image redirected you to a Web site that automatically downloaded code, grabbed your "buddy list," and spammed itself out" to everyone on that list, he says.

Friedrichs says that Ducky is already being used to turn infected systems into "bots," zombie computers that can be used by an attacker to launch attacks or access data. "We've seen a series of attacks where some code was run on the system but then it would open up a door and connect back to pull down additional malicious code from another Web site, " he says.

In all of these attacks, the systems becoming infected were then used as spam relays for phishing attacks against Citibank. When a victimized computer became infected with this malicious code, the attacker used it to send the fake e-mail seemingly from Citibank, making it look as though the infected computer was launching the phishing attack.

Schrader says that there have already been toolkits posted on the Web "so that any script kiddie could go and write their own virus using this new vulnerability." As a result, he concludes, "we are definitely going to see worms and viruses" that exploit this flaw.