Browsers May Be Vulnerable To Image Exploit - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications

Browsers May Be Vulnerable To Image Exploit

Vulnerabilities in an open-source image file format could be exploited by attackers to compromise machines running Linux, Windows, or Mac OS X, security researchers say.

Multiple vulnerabilities in an open-source image file format could be exploited by attackers to compromise machines running Linux, Windows, or Mac OS X, security researchers said Friday.

The vulnerabilities, which were first disclosed by independent security researcher Chris Evans, are in the library that supports the .png file format (for Portable Networks Graphics), an alternative to the popular .gif format for Web pages.

The library is used by several browsers, including the open-source Mozilla and Firefox, Apple's Safari, and Microsoft's Internet Explorer, as well as some e-mail clients. Evans had not tested all versions of all browsers, however, so the exact severity of the vulnerability isn't yet known.

libPNG can be compromised with a buffer overrun, said Evans, and if users are enticed to a malicious site with specially crafted .png images, could lead to a hostile takeover of the system by hackers.

"It crashes both Mozilla and Konqueror," wrote Evans in a detailed explanation of the vulnerability on his Web site. "A scarier possibility is targeted exploitation by e-mailing a nasty PNG to someone who uses a graphical e-mail client to decode PNGs with a vulnerable libpng."

Earlier this week, US-CERT, the federally-funded computer emergency readiness team, posted an advisory recommending that users patch against the vulnerability -- if a fix is available. Danish security firm Secunia did the same Thursday after rating the vulnerability as "Highly Critical."

"The vulnerabilities can be exploited by tricking a user into visiting a malicious Web site or view a malicious e-mail with an affected application linked to libpng," said Secunia in its alert.

In quick reaction, the Mozilla Foundation posted updates on its Web site.

New versions of Mozilla (1.7.2) and Firefox (0.9.3) browsers and the stand-alone Thunderbird (0.7.3) e-mail client are available from the Mozilla Foundation's Web site. The new editions also patched other flaws, including one dealing with how the software handled digital security certificates.

Although Opera updated its browser to 7.54 earlier this week, the new version included security fixes other than the libPNG vulnerability. Apple and Microsoft have not issued patches for their programs.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll