Test an image for GDI+ hack?

Posted on 2004-11-24
Last Modified: 2010-04-11
Is there a way to test an image to see if it has the GDI+ exploit?  I know how to test if my computer is VULNERABLE for the GDI+ exploit, but that's not what I want.  I want to see if an image is using the exploit.

My firewall is blocking a particular PDF saying: Error: "Attack Info: Malformed JPEG"  

How can I find out if this is a false positive, or if this image really is a hack/exploit?

Question by:shanepresley
    LVL 11

    Expert Comment

    I think it would be better if you tested before if your system is vulnerable to GDI+, then simply open your image in a test (not production) environment where you did not patch the problem.
    LVL 11

    Accepted Solution

    Take also a look ad this excerpt taken from
    " At the very beginning of a JPEG file, there is a value that tells the parser if there is comment data included with the jpeg file. If there is no comment, the value is set to '2', or it is higher if there is a comment. If you insert a '1' or '0' in this location, the GDI+ code will use this information and overwrite the stack with data, which may allow an attacker to execute their own code. The following is an example of what the first several bytes of a potentially dangerous jpeg look like:
    FF D8       - designated JPEG header
    FF E0       - Start of comment section
    00 10       - Indicates problem (should be 00 20)
    4A 46 49 46       - JFIF

    The danger in this is that one day after the vulnerability was posted, an example was released. This simplifies the exploit creation process by giving potential attackers a solid place to start. Windows XP (not SP2) was found to be vulnerable, as well as a collection of other software packages that use this dll to process jpeg images. Note: Antivirus companies are detecting this anomaly and calling it Bloodhound. "

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now