Six Security Vulnerabilities Found In PNG Graphic Format

[Kent Pribbernow]

http://news.com.com/Image+flaw+pierces+PC+security/2100-1002_3-5298999.html?tag=nefd.top

"Six vulnerabilities in an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X. The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image."

This is rather disturbing news as PNG is one of the most popular graphics formats used on the web. Some web graphics design software like Macromedia Fireworks MX (a product that I use every day in my work 8O ) uses PNG as its native file format. The vulnerability could allow hackers to create malicious image files that web browsers would unwittingly download and execute, allowing the intruders access to your vital data.

Isn't the internet fun? :wink:

[Kent Pribbernow]

http://news.com.com/Image+flaw+pierces+PC+security/2100-1002_3-5298999.html?tag=nefd.top

"Six vulnerabilities in an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X. The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image."

This is rather disturbing news as PNG is one of the most popular graphics formats used on the web. Some web graphics design software like Macromedia Fireworks MX (a product that I use every day in my work 8O ) uses PNG as its native file format. The vulnerability could allow hackers to create malicious image files that web browsers would unwittingly download and execute, allowing the intruders access to your vital data.

Isn't the internet fun? :wink:

[Jason Dunn]

Is PNG really used all that often though? Myself, I never use it on Web pages - the advantages over GIFs and JPEGs are minimal. Alpha transparency on a 32-bit colour image is cool and all, but not if certain visitors can't see it.

[Crocuta]

Quote:

Originally Posted by Jason Dunn

Is PNG really used all that often though? Myself, I never use it on Web pages - the advantages over GIFs and JPEGs are minimal. Alpha transparency on a 32-bit colour image is cool and all, but not if certain visitors can't see it.

Or most visitors! I've been redesigning the web site for my department and really needed good transparency (i.e. no GIF halo) and in a 24 bit image and so I tried out .png for the first time. It seemed great until I opened it up in Internet Explorer, where the alpha channel was a block of semi-transparent white instead of fully transparent. A quick Net search turned up that this is a known bug in IE that MS doesn't seemed very concerned about fixing. I don't know about your stats, but at my sites 92% of my visitors are IE users so using transparent .png is out of the question. Since that's the main reason why I would use .png, I just don't bother.

Of course, the security issue doesn't exactly make we want to run out and reconsider either!

[butch]

Quote:

Originally Posted by Kent Pribbernow

Six Security Vulnerabilities Found In PNG Graphic Format

This title is a little misleading... the flaws are not the PNG files....

[Montego]

I use Fireworks all of the time, and although its native format is PNG, I always export to gif or jpeg, so not a problem for me. However, the point that someone who does use png on a web page for malicious purposes is disturbing.

"Outlaw" hackers and spammers have certainly screwed up the Internet experience for everyone. Where I work as the webguy, our WAN staff finally had to turn of the ability to ping our servers because of attacks. I work off of our organization's campus so it kind of sucks when I want to do a quick check if I have a problem to see if the server may be down. Thanks, hackers.

[Suhit Gupta]

Quote:

Originally Posted by butch

Quote:

This title is a little misleading... the flaws are not the PNG files....

That is correct. The flaws are not in PNG files, instead they are in the reading libraries. The patches, AFAIK are already out for Redhat. Just do an up2date.

Suhit

[Mojo Jojo]

This afternoon Apple released a software update patch that takes care of this issue. Just an FYI.

http://docs.info.apple.com/article.html?artnum=61798