return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Pandemic flaws at the architectural and base component level ]

Pandemic flaws at the architectural and base component level


Hidden flaws at the architectural or base component level that have over time come to be shared as "givens" not subject to investigative review continue to open significant exploit potential across multiple operating systems.

This time it is the library for the Portable Network Graphics (libPNG) graphics format used an alternative to Graphics Interchange Format (GIF) and other image formats. The libPNG flaws are not Microsoft specific in that they the affect:

  • Apple's Mac OS X Mail application
  • Opera and IE browsers on Windows
  • Mozilla and Netscape browsers on Solaris

The wide use of libPNG components reminds me of the flaws of ASN.1 Basic Encoding Rules (BER) written by Xerox back in the 1960s and so has been at the baseline for subsequent applications of which MS was one - others being cell phone calls, Signaling System 7 (SS7), air traffic control systems, package tracking, SCADA systems, X.9 financial transaction protocols, public key cryptographic standards, VoIP, video teleconferencing, messaging systems, and public directory protocols.

Of the six vulnerabilities discovered to date in libPNG, the most serious could allow a remote attacker to execute arbitrary code on an affected system, whereas the others will crash apps using the library. Secunia gave the vulnerabilities a highly critical rating, its second-highest:

The vulnerabilities can... be exploited by tricking a user into visiting a malicious website or view a malicious email with an affected application linked to libpng.

Yet the problem is not new:

Both Microsoft and Linux have previously had security issues stemming from the PNG format. Eighteen months ago, Microsoft labeled as critical a flaw in how Internet Explorer handled PNG images. More than two years ago, a compression format flaw in Linux allowed PNG images, among other types of data, to crash programs running on the operating system.

Now, more than two years later, users on a wide spectrum of MAC, Linux, and MS apps are confronted with the specter of specially created PNG graphics executing "a malicious program when the application loads the image." Unfortunately while patches have been made for Linux and Mozilla, they have yet to be affected for IE. And of course, one still has to install the patch when it is made available.

Not a comforting situation in the era of zero-day exploits.

Multiple Vulnerabilities in libpng
Original release date: August 4, 2004

Image flaw pierces PC security
By Robert Lemos
August 5, 2004, 3:06 PM PT

Exploit code for Microsoft vulnerability circulating
By William Jackson
GCN Staff

Gordon Housworth

Cybersecurity Public  InfoT Public  


  discuss this article

<<  |  July 2020  |  >>
view our rss feed