Image flaw pierces PC security

Six vulnerabilities in a common code that handles an open-source image format could open the doors to intruders.

Six vulnerabilities in a common code that handles an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.

The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.

Among the programs that use libPNG and are likely to be affected by the flaws are the Mail application on Apple Computer's Mac OS X, the Opera and Internet Explorer browsers on Windows, and the Mozilla and Netscape browsers on Solaris, according to independent security researcher Chris Evans, who discovered the issues. Apple and Microsoft could not immediately be reached for comment. Evans did not test every platform to check which vulnerabilities work, he said.

The most critical vulnerability crashed two open-source browsers, Evans said. "A scarier possibility is targeted exploitation by e-mailing a nasty PNG to someone who uses a graphical e-mail client to decode" images, he added.

The Mozilla Foundation, the group that manages development of the Mozilla and Firefox browsers and the Thunderbird e-mail client, patched the flaws Wednesday, the same day news of the vulnerabilities was made public. Microsoft continues to study the issue, a representative of the software giant said late Thursday.

"Microsoft has not been made aware of any active exploits of the reported vulnerability or customer impact at this time, but is aggressively investigating the public reports," the representative said.

Both Microsoft and Linux have previously had security issues stemming from the PNG format. Eighteen months ago, Microsoft labeled as critical a flaw in how Internet Explorer handled PNG images. More than two years ago, a compression format flaw in Linux allowed PNG images, among other types of data, to crash programs running on the operating system.

A patched version of the PNG library, known as libPNG, can be downloaded from Linux operating-system sellers and the PNG Web site.

Security information service Secunia gave the vulnerabilities its second-highest rating, highly critical, and warned computer users to watch out.

"The vulnerabilities can be exploited by tricking a computer user into visiting a malicious Web site or viewing an e-mail with an affected application linked to libpng," Secunia stated in its advisory on the problems.

The U.S. Computer Emergency Readiness Team, the nation's official computer threat watchdog, released an advisory on the PNG issue on Tuesday and advised companies and individuals to update their systems.

Featured Video

This Nokia virtual-reality camera costs $60,000

Good VR doesn't come cheap, as evidenced by Nokia's Ozo 360-degree video camera. Meanwhile, Swatch's next smartwatch has mobile payments, and Blocks lets you build your own smartwatch.

by Bridget Carey