August 5, 2004 3:06 PM PDT

Image flaw pierces PC security

Six vulnerabilities in a common code that handles an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.

The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.

Among the programs that use libPNG and are likely to be affected by the flaws are the Mail application on Apple Computer's Mac OS X, the Opera and Internet Explorer browsers on Windows, and the Mozilla and Netscape browsers on Solaris, according to independent security researcher Chris Evans, who discovered the issues. Apple and Microsoft could not immediately be reached for comment. Evans did not test every platform to check which vulnerabilities work, he said.

The most critical vulnerability crashed two open-source browsers, Evans said. "A scarier possibility is targeted exploitation by e-mailing a nasty PNG to someone who uses a graphical e-mail client to decode" images, he added.

The Mozilla Foundation, the group that manages development of the Mozilla and Firefox browsers and the Thunderbird e-mail client, patched the flaws Wednesday, the same day news of the vulnerabilities was made public. Microsoft continues to study the issue, a representative of the software giant said late Thursday.

"Microsoft has not been made aware of any active exploits of the reported vulnerability or customer impact at this time, but is aggressively investigating the public reports," the representative said.

Both Microsoft and Linux have previously had security issues stemming from the PNG format. Eighteen months ago, Microsoft labeled as critical a flaw in how Internet Explorer handled PNG images. More than two years ago, a compression format flaw in Linux allowed PNG images, among other types of data, to crash programs running on the operating system.

A patched version of the PNG library, known as libPNG, can be downloaded from Linux operating-system sellers and the PNG Web site.

Security information service Secunia gave the vulnerabilities its second-highest rating, highly critical, and warned computer users to watch out.

"The vulnerabilities can be exploited by tricking a computer user into visiting a malicious Web site or viewing an e-mail with an affected application linked to libpng," Secunia stated in its advisory on the problems.

The U.S. Computer Emergency Readiness Team, the nation's official computer threat watchdog, released an advisory on the PNG issue on Tuesday and advised companies and individuals to update their systems.

16 comments

Join the conversation!
Add your comment
Misleading title
The title of this article implies that there is a security flaw in the Linux operating system but in reality there is a flaw in an image standard that effects all programs on all operating systems that can display the image format.

So why was Linux singled out?
Posted by Fray9 (547 comments )
Reply Link Flag
Consider why
The person who discovered the vunerability only tested this on
Linux. I think the title is a bit off, but it made you read it didn't
it? It is possible other systems are not vunerable, but I doubt it.
Posted by (2 comments )
Link Flag
Title is just fine
whenever a file or application presents a security or stability problem on Windows, the open-source crowd uses it as an opportunity to decry windows security and stability. But when the .png file format introduces a security threat to Linux, open-source people very quickly show up and suggest that Linux is not the problem, .png is the problem. Double standard? If Linux was secure, it would not allow any applications or programs to create buffer overflows. Wow.. imagine that... a safe, secure operating system... not on this planet.
Posted by David Arbogast (1709 comments )
Link Flag
Title was changed
The title of the story was changed from "Linux" to "PC" for those playing along at home scratching their heads over what the fuss is all about.

Thanks CNet for being attentive to our concerns over needlessly sensationalist and/or inaccurate headlines/stories.

As a neutral party in the whole Linux/Windows battle (both are good at what they were designed for.. the right tool for the job and such) even I disapprove of attacks or misinformation against either platform. Let each individual try both and make up their own minds. When people start taking sides and thinking their way is the best way things get needlessly ugly.

Windows was designed to be easy to use.
Linux was designed for stability and security.

Please just give each the credit their due and dont fault them for what they werent meant to do.
Posted by Fray9 (547 comments )
Link Flag
Advocate.
Because Internet Explorer does not use LibPNG, and LibPNG does not ship with Windows.

Linux is vulnerable on default install as it actually ships LibPNG.

What, if it is not a kernel vuln than the "Linux Operating System" is not vulnerable?

Sounds like a cheap way to dodge the fact that Linux has security vulns too.
Posted by Dachi (797 comments )
Reply Link Flag
Linux isn't perfect?
Wow, and I thought it was made by superhumans incapable of
mistake making. Vunerabilities are something any computer has
to deal with. I bet there are even vunerabilities in a TiVo if you
think about it.
Posted by (2 comments )
Link Flag
Mozilla-Firefox fix?
I think the PNG image vulnerability has been addressed in the latest updates of Mozilla, Firefox and Thunderbird - <a class="jive-link-external" href="http://www.mozilla.org/projects/security/known-" target="_newWindow">http://www.mozilla.org/projects/security/known-</a>
vulnerabilities.html#mozilla1.7.2
Posted by Damienkeith (2 comments )
Reply Link Flag
PaX, ProPolice
Easily deflected by using PaX (for the executable space proctections' memory policy and ASLR) and Stack Smash Protection/ProPolice. I'm not explaining these again; I've written articles on this crap, go read 'em.

<a class="jive-link-external" href="http://en.wikipedia.org/wiki/PaX" target="_newWindow">http://en.wikipedia.org/wiki/PaX</a>
<a class="jive-link-external" href="http://en.wikipedia.org/wiki/ProPolice" target="_newWindow">http://en.wikipedia.org/wiki/ProPolice</a>

You want to know why we need these? THIS is why.
Posted by bluefoxicy (3 comments )
Reply Link Flag
Apple released Security Update 2004-08-09 today
Apple has released a security update today (9 Aug 2004) to
address the issue. It can be downloaded using the Software
Update application.
Posted by JadisOne (13 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.