Behind the Scenes Look at the PNG Flaw

On December 11, 2002 eEye released an advisory regarding a vulnerability in Internet Explorer’s handling of Portable Network Graphics (PNG) format images (see below). The advisory pointed out that the PNG issue is dangerously exploitable, contradicting Microsoft’s initial assessment and prompting them to upgrade the vulnerability’s risk level to "critical". In this edition of Tech Talk, we explain just what went wrong with IE’s handling of PNG images, as well as the implications of this new breed of attack.

Portable Network Graphics, or PNG, is a method of representing digital images. Designed in 1995, PNG was created with the intent of alleviating a number of problems involved in downloading and displaying pictures from the Web over a slow, possibly error-prone connection. The development of the PNG image format was well thought out and provided for a number of useful graphics features such as transparency and interlacing, attention to error detection (ensuring that the image is downloaded correctly), and compression (representing a lot of data in as small a way as possible, usually by removing redundancies in the data). However, any image format – especially one that provides such a rich set of features – will inherently be complex, and PNG is no exception.

A probable result of this complexity is the PNG flaw in Internet Explorer that was discovered; in particular, a problem was found in the way that IE handles improperly compressed data. As we mentioned above, the point of compression is to "shrink" data. Within the PNG format, compression takes place by expressing redundancies (repeated patterns within the image data) in a shorter manner. For example, if the phrase "secure for sure" were to appear in the image data, it could be compressed by representing the pattern "u-r-e", which appears twice, with a shorter string, such as as '#' to produce "sec# for s#".

It is important to note that this flaw does not lie in the PNG format itself, but in the way Microsoft's programmers interpreted its usage within their applications. The flaw arises from Internet Explorer attempting to process an improper pattern repeating code instead of ignoring it, causing the browser to overwrite important memory with data contained in the image. The end result: an attacker could create a malicious image file that would take over a victim's computer whenever he or she views it in Internet Explorer or any program that uses the IE browser.

Foremost, we recommend that you install Microsoft's patch for this issue to protect your networks from any malicious PNG files. There is, however, a much larger threat suggested by the discovery of this vulnerability. As far as we know, this PNG exploit is the first time an image has been capable of conveying malicious instructions to a computer and causing their execution through a flaw in the normal operation of the web browser. This discovery raises two serious questions: Will other image flaws be discovered in the future? And can you protect yourself from such an attack? In both cases, the answer is most likely "yes". As we mentioned, images are a complex type of file, and it is likely that programmers will continue to make mistakes in their handling.

Vulnerabilities of this type are very serious because images are almost universally opened automatically by the browser. This allows harmful images to affect an unpatched machine immediately, but users simply cannot afford to disable image viewing on today's web. However, as long as affected vendors and security researchers both continue to act responsibly, standard security practice will be effective against image-borne attacks as well. We recommend that you consistently upgrade your systems as soon as patches are released, and avoid opening material from un-trusted sources. Even as a fast, direct, and high-impact attack vector, malicious images are only as effective as the target is vulnerable.

Derek Soeder
Software Engineer
eEye Digital Security

eWeek - A Look Back: Top 10 Tech Stories of 2002
"If 2001 was a year of cataclysm and change, 2002 was about looking for—and in some cases finding—closure on events that dominated the previous year. IT and government officials refined their view of networking and computing infrastructures through the filter of potential terrorism; Microsoft Corp. and Hewlett-Packard Co. shed some of the uncertainty that weighed them down the previous year; and, with many enterprises still working off the IT spending binge of the past, consolidation continued unabated, and investments in IT remained slow." Full Article

Business Week - Toward a More Secure 2003
"2003 will surely pose some pretty daunting challenges to chief security officers and the organizations they protect. At the same time, improvements in software and technology will elevate computer security to another level." Full Article

eWeek - Job: Security
"Available now: IT jobs with rising pay, good benefits and plenty of opportunity for career advancement. To professionals struggling through the tech downturn, this might sound very last-century, but it could be the not-too-distant future for IT security specialists." Full Article

eWeek - Yaha Worm Spreads Beyond Middle East
"A new variant of the Yaha worm, discovered last week in several Middle Eastern countries, has begun spreading more rapidly and widely, anti-virus experts say. Yaha.K is a mass-mailing worm and propagates through e-mail, using its own built-in SMTP engine. It can also retrieve addresses from Yahoo Messenger, MSN Messenger and .Net Messenger Service directories. The worm also is designed to launch a denial-of-service attack against a target server in Pakistan." Full Article

Q: I already use a non-commercial vulnerability scanner. What would be the benefit of using a commercial network scanner as well?

A: Commercial scanners have the benefit of being backed by R&D teams that offer consistent and timely check updates, and reliable technical support and response. Non-commercial offerings are typically only supported and updated in the spare time of the primary author. While non-commercial scanners sometimes have a larger developer base, code contributions vary greatly in quality and accuracy, and the lack of a formalized QA structure sometimes allows less-than-prime code to be submitted into the final scanner offering.

In addition, a vulnerability scanner like eEye's Retina is designed to be non-intrusive to both the network as a whole and to the hosts the make up the network. Some non-commercial scanners allow hostile code to be introduced into their check database that attempts to verify the existence of a vulnerability by exploiting it. While these scanners typically have a "safe" option, sometimes a vulnerability check may be flagged incorrectly, or some checks that are normally safe will perform erratically and cause problems in some situations that the check's author had not foreseen.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Macromedia Shockwave Flash Malformed Header Overflow #2
Severity: High (Remote Code Execution)
There exists a vulnerability within Macromedia's Flash software and its handling of malformed Flash files. Attackers can use this vulnerability to compromise users of Macromedia's Flash software. A corrupt file may be placed on a website or in some cases within an HTML email. Full Article

PNG (Portable Network Graphics) Heap Corruption Vulnerability
Severity: High (Code Execution)
A heap corruption vulnerability exists the PNG image format implemented in Microsoft Windows. The "deflate" compression specification allows for the repetition of patterns that occur in the decompressed data. Full Article

eEye Digital Security Obtains $9 Million in Series C Funding
Insight Venture Partners lead the investment round.

"Since its founding, eEye has succeeded in delivering a portfolio of best-of-breed security software while maintaining profitable and growing operations," said Marwan Naja, Co-CEO and CFO of eEye. "The investment partnership with Insight provides eEye with the means to more aggressively grow our sales delivery to large enterprises, expand our global coverage to better serve our larger clients and to grow our product base as well."

The Series C funding will be applied towards accelerating the ongoing growth of the company's operations, expanding product development infrastructure, building alternative distribution channels, as well as increasing the existing customer base.
http://www.eeye.com/html/Press/PR20021209.html Full Article

Net Security: Steady as She Goes
Robert Lemos interviews Dorothy Denning about the future of Internet security. "This widely quoted Georgetown University professor of computer science was once dubbed the 'Clipper Chick' because of her vocal support of the controversial Clipper encryption proposal. That policy measure, which was ultimately scuttled, would have allowed the U.S. government access to keys that could decipher any message encoded by the system. More

One Man's Info War on al-Qaida
In a case that shows both the risks and rewards of vigilante tactics, an American man has hijacked two Web addresses apparently used by al-Qaida to laud terrorist attacks. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.