[Am-info] Image flaw pierces PC security

Fred Miller fmiller@lightlink.com
Sat, 7 Aug 2004 11:39:30 -0400 

http://zdnet.com.com/2100-1105_2-5298999.html

Image flaw pierces PC security
By <mailto:rob.lemos@cnet.com>Robert Lemos
CNET News.com
August 5, 2004, 3:06 PM PT
135ef94.jpg

Six vulnerabilities in a common code that handles an open-source image
format could allow intruders to compromise computers running Linux and may
allow attacks against Windows PCs as well as Macs running OS X.

The security issues appear in a library supporting the portable network
graphics (PNG) format, used widely by programs such as the Mozilla and
Opera browsers and various e-mail clients. The most critical issue, a
memory problem known as a buffer overflow, could allow specially created
PNG graphics to execute a malicious program when the application loads the
image.

Among the programs that use libPNG and are likely to be affected by the
flaws are the Mail application on Apple Computer's Mac OS X, the Opera and
Internet Explorer browsers on Windows, and the Mozilla and Netscape
browsers on Solaris, according to independent security researcher Chris
Evans, who discovered the issues. Apple and Microsoft could not immediately
be reached for comment. Evans did not test every platform to check which
vulnerabilities work, he said.

The most critical vulnerability crashed two open-source browsers, Evans
said. "A scarier possibility is targeted exploitation by e-mailing a nasty
PNG to someone who uses a graphical e-mail client to decode" images, he
 added.

The Mozilla Foundation, the group that manages development of the Mozilla
and Firefox browsers and the Thunderbird e-mail client, patched the flaws
Wednesday, the same day news of the vulnerabilities was made public.
Microsoft continues to study the issue, a representative of the software
giant said late Thursday.

"Microsoft has not been made aware of any active exploits of the reported
vulnerability or customer impact at this time, but is aggressively
investigating the public reports," the representative said.

Both Microsoft and Linux have previously had security issues stemming from
the PNG format. Eighteen months ago, Microsoft labeled as critical a flaw
in how Internet Explorer handled PNG images. More than two years ago, a
compression format flaw in Linux allowed PNG images, among other types of
data, to crash programs running on the operating system.

A patched version of the PNG library, known as libPNG, can be downloaded
from Linux operating-system sellers and
<http://dw.com.com/redir?destUrl=http%3A%2F%2Fwww.libpng.org%2Fpub%2Fpng%2Fli
bpng.html&siteId=2&oId=2100-1105-5298999&ontId=11&lop=nl_ex>the PNG Web site.

Security information service Secunia gave the vulnerabilities its
second-highest rating, highly critical, and warned computer users to watch
out.

"The vulnerabilities can be exploited by tricking a computer user into
visiting a malicious Web site or viewing an e-mail with an affected
application linked to libpng," Secunia stated in
<http://dw.com.com/redir?destUrl=http%3A%2F%2Fsecunia.com%2Fadvisories%2F1221
9%2F&siteId=2&oId=2100-1105-5298999&ontId=11&lop=nl_ex>its advisory on the
 problems.

The
<http://dw.com.com/redir?destUrl=http%3A%2F%2Fwww.us-cert.gov&siteId=2&oId=21
00-1105-5298999&ontId=11&lop=nl_ex>U.S. Computer Emergency Readiness Team,
 the nation's official computer threat watchdog, released an advisory on the
 PNG issue on Tuesday and advised companies and individuals to update their
 systems. 135ef99.jpg

-- 
"Running Windows on a Pentium is like getting a Porsche but only being
able to drive it in reverse with the handbrake on."