Multiple vulnerabilities in an open-source image file format could be exploited by attackers to compromise machines running Linux, Windows, or Mac OS X, security researchers said Friday.
The vulnerabilities, which were first disclosed by independent security researcher Chris Evans, are in the library that supports the .png file format (for Portable Networks Graphics), an alternative to the popular .gif format for Web pages.
The library is used by several browsers, including the open-source Mozilla and Firefox, Apple's Safari, and Microsoft's Internet Explorer, as well as some e-mail clients. Evans had not tested all versions of all browsers, however, so the exact severity of the vulnerability isn't yet known.
libPNG can be compromised with a buffer overrun, said Evans, and if users are enticed to a malicious site with specially crafted .png images, could lead to a hostile takeover of the system by hackers.
"It crashes both Mozilla and Konqueror," wrote Evans in a detailed explanation of the vulnerability on his Web site. "A scarier possibility is targeted exploitation by e-mailing a nasty PNG to someone who uses a graphical e-mail client to decode PNGs with a vulnerable libpng."
Earlier this week, US-CERT, the federally-funded computer emergency readiness team, posted an advisory recommending that users patch against the vulnerability -- if a fix is available. Danish security firm Secunia did the same Thursday after rating the vulnerability as "Highly Critical."
"The vulnerabilities can be exploited by tricking a user into visiting a malicious Web site or view a malicious e-mail with an affected application linked to libpng," said Secunia in its alert.
In quick reaction, the Mozilla Foundation posted updates on its Web site.
New versions of Mozilla (1.7.2) and Firefox (0.9.3) browsers and the stand-alone Thunderbird (0.7.3) e-mail client are available from the Mozilla Foundation's Web site. The new editions also patched other flaws, including one dealing with how the software handled digital security certificates.
Although Opera updated its browser to 7.54 earlier this week, the new version included security fixes other than the libPNG vulnerability. Apple and Microsoft have not issued patches for their programs.