Vulnerabilities in code libraries that could potentially affect open-source programs using the GUI toolkit GTK+ were reported on the security Web site Secunia on Thursday. As initially discovered by Chris Evans, these problems could theoretically be exploited to spark a DDoS (distributed denial of service) attack and otherwise compromise a computer system.
One vulnerability, which affects BMP image processing in applications, could be taken advantage of to create an infinite loop in the application. This could affect open-source image editors, for example.
Two others rely on handling errors while decoding images in the XPixMap (XPM) format developed in 1989. These vulnerabilities could be exploited by the use of an XPM image to create either an integer or buffer overflow, either of which could allow the execution of malicious code.
One of these library routines, GdkPixBuf, is also used in Gnome 2. Gnome is a Unix and Linux desktop suite and development platform that's used by Sun in some Solaris desktops and in many Linux desktops.
A final vulnerability works in decoding ICO images, which are used to create and display favorites icons ("favicons") for Web sites. This also could allow a maliciously crafted ICO image to cause an integer overflow, which could cause the application to crash.
But according to Chris Hofmann, director of engineering at the Mozilla Foundation in Mountain View, Calif., the Firefox browser is not vulnerable to a security breach over the Internet, as was recently reported about Microsoft's Internet Explorer.
Firefox and other browsers based on the open-source Mozilla code base use the affected libraries only for processing images from the user's own computer. These browsers rely on a Mozilla cross-platform image library for decoding images downloaded from the Web.
"The way we treat vulnerabilities, if someone can get to your hard drive, they have the capability to compromise your system in any number of ways," Hofmann said. "The only way for an attack to occur in this case is for someone to get onto your hard drive and put one of these images there and get Firefox to open it." He said all productz based on Mozilla technology—which include the Mozilla Suite and Netscape 7.2—exhibit the same security level.
As of this writing, no updated versions of the affected libraries have been released.
Reply With Quote