Test an image for GDI+ hack?

Is there a way to test an image to see if it has the GDI+ exploit?  I know how to test if my computer is VULNERABLE for the GDI+ exploit, but that's not what I want.  I want to see if an image is using the exploit.

My firewall is blocking a particular PDF saying: Error: "Attack Info: Malformed JPEG"  

How can I find out if this is a false positive, or if this image really is a hack/exploit?

LVL 1
shanepresleyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

elbereth21Commented:
I think it would be better if you tested before if your system is vulnerable to GDI+, then simply open your image in a test (not production) environment where you did not patch the problem.
0
elbereth21Commented:
Take also a look ad this excerpt taken from http://www.informit.com/guides/content.asp?g=security&seqNum=52
" At the very beginning of a JPEG file, there is a value that tells the parser if there is comment data included with the jpeg file. If there is no comment, the value is set to '2', or it is higher if there is a comment. If you insert a '1' or '0' in this location, the GDI+ code will use this information and overwrite the stack with data, which may allow an attacker to execute their own code. The following is an example of what the first several bytes of a potentially dangerous jpeg look like:
FF D8       - designated JPEG header
FF E0       - Start of comment section
00 10       - Indicates problem (should be 00 20)
4A 46 49 46       - JFIF

The danger in this is that one day after the vulnerability was posted, an example was released. This simplifies the exploit creation process by giving potential attackers a solid place to start. Windows XP (not SP2) was found to be vulnerable, as well as a collection of other software packages that use this dll to process jpeg images. Note: Antivirus companies are detecting this anomaly and calling it Bloodhound. "
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.