Image flaws conceal Linux threat

Six vulnerabilities in an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.

The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various email clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.

Among the programs that use libPNG and are likely to be affected by the flaws are the Mail application on Apple Computer's Mac OS X, the Opera and internet Explorer browsers on Windows, and the Mozilla and Netscape browsers on Solaris, according to independent security researcher Chris Evans, who discovered the issues. Apple and Microsoft could not immediately be reached for comment. Evans did not test every platform to check which vulnerabilities work, he said.

The most critical vulnerability crashed two open-source browsers, Evans said. "A scarier possibility is targeted exploitation by emailing a nasty PNG to someone who uses a graphical email client to decode" images, he added.

Both Microsoft and Linux have previously had security issues stemming from the PNG format. Eighteen months ago, Microsoft labelled as critical a flaw in how Internet Explorer handled PNG images. More than two years ago, a compression format flaw in Linux allowed PNG images, among other types of data, to crash programs running on the operating system.

A patched version of the PNG library, known as libPNG, can be downloaded from Linux operating-system sellers and the PNG website.

Security information service Secunia gave the vulnerabilities its second-highest rating, highly critical, and warned computer users to watch out.

"The vulnerabilities can be exploited by tricking a computer user into visiting a malicious website or viewing an email with an affected application linked to libPNG," Secunia stated in its advisory on the problems.

The US Computer Emergency Readiness Team, the official computer threat watchdog, released an advisory on the PNG issue on Tuesday and advised companies and individuals to update their systems.