The hunt is on for file format bugs

LAS VEGAS--New tools could help bug hunters find vulnerabilities in popular file formats, such as the JPEG and GIF image formats.

Flaws in how applications handle those file formats are drawing interest among security researchers, according to speakers at the Black Hat security conference here.

Some of those bugs can be serious: A victim's PC could be hijacked by simply viewing an image on a Web site or in an e-mail. Microsoft issued three "critical" security bulletins earlier this month, two related to file format flaws.

There could be a significant increase in the discovery of such flaws. iDefense, a security intelligence company, is making available tools that let researchers automate the discovery of file format vulnerabilities. The company released the tools Thursday in conjunction with Black Hat.

"I really do think this is a low-hanging-fruit area for vulnerabilities," Michael Sutton, a lab director at iDefense, said in a presentation at Black Hat. iDefense itself has found several file format flaws. "We really did not work hard to find the vulnerabilities. We did work hard on the tools."

The tools, for Windows and Linux, can automatically tweak files bit-for-bit and then open the malformed file in any application. If an error is found in the opening of the file, the tool will capture the error data. The researcher can then investigate that data, which may point to a vulnerability, according to iDefense.

"These are not tools where you just push a button and the vulnerability shows up," Sutton said. "It pinpoints an exception and then you as a researcher have to investigate."

The tools, called FileFuzz for Windows and SpikeFile and NotSpikeFile for Linux, could be used with malicious intent, but iDefense hopes they will be used to help protect users. "These don't have to be used for evil purposes. They can be used for good, and I hope they will be," Sutton said.

One Black Hat attendee said he expects only well-intended security researchers to use the tools. "These tools only discover whether an application and a format could have a vulnerability," said Joshua Feldman, a security engineer at Science Applications International. "This is definitely for the white hats."

The tools are open source, which means others can expand and improve upon them. They're available for download from the iDefense site.

Nitpick

The vulnerabilites aren't in the file formats themselves; they're in the programs that read them. A hole in one JPEG decoder, for instance, doesn't mean that JPEG itself is problematic.