LAS VEGAS--New tools could help bug hunters find vulnerabilities in popular file formats, such as the JPEG and GIF image formats.
Flaws in how applications handle those file formats are drawing interest among security researchers, according to speakers at the Black Hat security conference here.
Some of those bugs can be serious: A victim's PC could be hijacked by simply viewing an image on a Web site or in an e-mail. Microsoft issued three "critical" security bulletins earlier this month, two related to file format flaws.
There could be a significant increase in the discovery of such flaws.
iDefense, a security intelligence company, is making available tools that let researchers automate the discovery of file format vulnerabilities. The company released the tools Thursday in conjunction with Black Hat.
"I really do think this is a low-hanging-fruit area for vulnerabilities," Michael Sutton, a lab director at iDefense, said in a presentation at Black Hat. iDefense itself has found several file format flaws. "We really did not work hard to find the vulnerabilities. We did work hard on the tools."
The tools, for Windows and Linux, can automatically tweak files bit-for-bit and then open the malformed file in any application. If an error is found in the opening of the file, the tool will capture the error data. The researcher can then investigate that data, which may point to a vulnerability, according to iDefense.
"These are not tools where you just push a button and the vulnerability shows up," Sutton said. "It pinpoints an exception and then you as a researcher have to investigate."
The tools, called FileFuzz for Windows and SpikeFile and NotSpikeFile for Linux, could be used with malicious intent, but iDefense hopes they will be used to help protect users. "These don't have to be used for evil purposes. They can be used for good, and I hope they will be,"
Sutton said.
One Black Hat attendee said he expects only well-intended security researchers to use the tools. "These tools only discover whether an application and a format could have a vulnerability," said Joshua Feldman, a security engineer at Science Applications International. "This is definitely for the white hats."
The tools are open source, which means others can expand and improve upon them. They're available for download from the iDefense site.
The vulnerabilites aren't in the file formats themselves; they're in the programs that read them. A hole in one JPEG decoder, for instance, doesn't mean that JPEG itself is problematic.
Apple says it's got a third-party group looking for issues at manufacturing partners it uses. Read CNET's FAQ to find out how we got here and what the next steps are.
NY professor believes that a word-based algorithm can help bring together those who believe, with one glimpse, that they have found and lost the love of their lives.
Proposal provides $140 billion for research and development of technologies such as clean energy, wireless communications, and cybersecurity--a 5 percent increase over 2012.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
There are a lot of things that AT&T's humongous Samsung Galaxy Note smartphone is, like a digital memo pad, a medium-size reader, and a great photo companion.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
