[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS ALERT - 17/05 - NISCC Vulnerability Advisory 891011/NISCC/IMAGEFORMATS



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
      UNIRAS (UK Govt CERT) ALERT - 17/05 dated 14.06.05  Time: 13:00  
 UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
NISCC Vulnerability Advisory 891011/NISCC/IMAGEFORMATS


Detail
====== 

 
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NISCC Vulnerability Advisory 891011/NISCC/IMAGEFORMATS

Vulnerability Issues with the Parsing of Various Image Formats by Web
Browsers

Version Information
- - -------------------
Advisory Reference    891011/NISCC/IMAGEFORMATS
Release Date	    14 June 2005
Last Revision	    14 June 2005
Version Number	    1.0

Acknowledgement
- - ---------------
These issues were identified using the Images Test Tool developed by
Codenomicon Ltd.

What is affected?
- - -----------------
The vulnerabilities described in this advisory affect several major
web browsers and their 
interaction with various image formats.

Please note that the information contained within this advisory is
subject to changes. 
All subscribers are therefore advised to regularly check the NISCC
website for updates 
to this notice.

Impact
- - ------
If exploited, these vulnerabilities could cause a variety of outcome;
the exact behaviour 
will depend on which web browser is used. One behaviour that is
however common amongst 
the browsers are that some of the image formats have been able to
cause them to terminate 
abnormally.

Severity 
- - --------
The severity of this vulnerability varies by vendor; please see the
'Vendor Information' 
section below for further information. Alternatively contact your
vendor for product 
specific information. 

Summary
- - -------
The Image Test Tool developed by Codenomicon is based on the
robustness testing method 
originally devised in the PROTOS project, a joint applied research
project between the 
University of Oulu and VTT Electronics [PROTOS]. This robustness
testing method is based 
on the systematic creation of a large number of protocol messages
containing exceptional 
elements that simulate malicious attacks. 

The tool is intended to be used for analysing the security and
robustness of image format 
handling routines in operating systems, shared libraries and
standalone graphics 
applications by feeding the tested implementation with various
carefully crafted malformed 
images.

NISCC have used the tool against several web browsers and have found
that all are affected
in varying ways by various crafted malformed images.

All users of applications that support images are recommended to take
note of this advisory 
and carry out any remedial actions suggested by their vendor(s).

[Please note that revisions to this advisory will not be notified by
email. All subscribers 
are advised to regularly check the NISCC website 
(http://www.niscc.gov.uk/niscc/vulnAdv-en.html) for updates to this
notice.]

Details
- - -------
Image format handling routines exist in most modern GUI-based
devices; not only are they 
implemented so that the user can view and manipulate pictures,
drawings and other image files, 
but images are also widely used as icons, backgrounds, widgets and
other GUI elements. This 
means that image formats permeate every aspect of any GUI-based
operating system or application. 

The Image Test Tool used covers the following image formats: 

* GIF87a (GIF)
* Microsoft icon resource (ICO)
* WAP-Forum Wireless bitmap (WBMP)
* X Consortium X Bitmap (XBM)

All feasible fields inside the image format data files are anomalized
with values that have 
been deemed most likely to locate robustness shortcomings in the
tested image format 
implementation. The aim is to trigger various types of errors in the
tested implementation; 
this includes vulnerabilities such as:

* Buffer overflow
* Format string vulnerability
* Memory allocation bomb
* Resource allocation problems
* Missing validity checks
* Busy loops and deadlocks
* Recursion failures

The results from applying such crafted images to web browsers have
varying effects; however one
common outcome was the abnormal termination of the application when
certain images are supplied
to them.

Mitigation
- - ----------
Patch all affected implementations.

Solution
- - --------
Please refer to the 'Vendor Information' section of this advisory for
platform specific 
remediation.

Vendor Information
- - ------------------
A list of vendors affected by this vulnerability is not currently
available. Please 
visit the web site at http://www.niscc.gov.uk/niscc/vulnAdv-en.html
in order to 
check for updates.

Credits
- - -------
The NISCC Vulnerability Team would like to thank Codenomicon Ltd for
providing NISCC with 
the Image Test Tool and to allow NISCC to use it to identify affected
products.

The NISCC Vulnerability Team would also like to thank the vendors for
their co-operation 
in the handling of this vulnerability.

Contact Information
- - -------------------
The NISCC Vulnerability Management Team can be contacted as follows:

Email	     vulteam@xxxxxxxxxxxx 
           Please quote the advisory reference in the subject line

Telephone  +44 (0)870 487 0748 Ext 4511
           Monday - Friday 08:30 - 17:00

Fax	     +44 (0)870 487 0749

Post	     Vulnerability Management Team
           NISCC
           PO Box 832
           London
           SW1P 1BG

We encourage those who wish to communicate via email to make use of
our PGP key. This is 
available from http://www.niscc.gov.uk/niscc/publicKey2-en.pop.

Please note that UK government protectively marked material should
not be sent to the email 
address above. 

If you wish to be added to our email distribution list please email
your request to 
uniras@xxxxxxxxxxxxx
 
What is NISCC?
- - --------------
For further information regarding the UK National Infrastructure
Security Co-ordination 
Centre, please visit http://www.niscc.gov.uk.
 
Reference to any specific commercial product, process, or service by
trade name, trademark 
manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or 
favouring by NISCC. The views and opinions of authors expressed
within this notice shall not 
be used for advertising or product endorsement purposes.

Neither shall NISCC accept responsibility for any errors or omissions
contained within 
this advisory. In particular, they shall not be liable for any loss
or damage whatsoever, 
arising from or in connection with the usage of information contained
within this notice.

C 2005 Crown Copyright 
<End of NISCC Vulnerability Advisory>

- -----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBQq6xT8Y9obE5q+3HAQLyJAP+LlGfL3icbMMC4dWZ49pXe92V6A/ICGUi
UZIWXuNy3JcJwDxf4Me7K/0/Oy/rfM3ioPvCJ4yOG10b7O+MBQlAKtqJBrZSva46
rtFPTWT0c0gGDh+lGg+PAG+wGX99+f/fjmkyOo/lA6iVRU/AQruesdRp19wfzB/P
bAz/uoT1WPk=
=vuvA
- -----END PGP SIGNATURE-----


- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of NISCC Vulnerability Team for 
the information contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQq7GvIpao72zK539AQGs7wP/U5cS+ga4mOEySQotyn4wMU++xsctkPPr
v2Se3MPNoOfOYudLoF6Ydzh9kLvqNLSqkBmOUGHbvG5SQDS8vwx9eaGeME9nP3CL
3eNTxlFGmJoVdSrCjcfVszkFp75x1VX642ZYLfVUhLhVFBgKnR/wUmo8HtXLOdcp
/AF55GQq/Hc=
=m8EE
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________