Problems Found in Graphics Library, Mozilla, and PDAs
Graphic Library Buffer Overflow Vulnerability
Secunia warned of a “highly critical” vulnerability in libpng 1.x that can lead to denial-of-service and remote system access.
“The vulnerabilities are caused due to NULL pointer dereference errors and boundary errors within various functions when processing PNG files. Some of these can be exploited to cause stack-based buffer overflows via specially crafted PNG files,” says Secunia.
The libpng, notes CERT, is “a popular reference library available for application developers to support the PNG image format.” PNG, an alternative graphics format to JPEG and GIF files, is most commonly seen on Web pages or in HTML e-mails.
To attack a computer, a user must be tricked into visiting a malicious Web site, or view a specially crafted e-mail on an application that uses libpng. According to CERT, introducing “a malformed PNG image to a vulnerable application could cause the application to crash or could potentially execute arbitrary code with the privileges of the user running the affected application.”
The libpng vendor released a patch. Users can also upgrade to version 1.2.6rc1 or 1.0.16rc1.
A number of applications are affected, including Debian, Fedora, Mandrake, Red Hat, and SuSE. Mozilla released version Mozilla 1.7.2, as well as Firefox 0.9.3, and Thunderbird 0.7.3, to patch the relevant vulnerability.
Mozilla XUL Vulnerability
All versions of Mozilla up to 1.7.2, and Firefox up to 0.9.2, are also affected by an XUL [XML User Interface Language] vulnerability.
Secunia rates the problem as “moderately critical” and says “the problem is that Mozilla and Mozilla Firefox don’t restrict Web sites from including arbitrary, remote XUL files.” Mozilla uses XUL to build its user interface. As a result of the vulnerability, an attacker can “hijack” much of the user interface—including toolbars, SSL certificate dialog, address bar—and control what the user sees.
A proof-of-concept exploit that pretends to be an SSL-secured PayPal Web site has been released.
Mozilla released new versions of affected software with the vulnerability patched. Until users patch, Secunia recommends they do not follow untrusted links.
First Trojan PPC Program Spotted
Antivirus provider Kaspersky Labs says the Pocket PC operating system, widely used for PDAs, is vulnerable to its first Trojan backdoor program, called Backdoor.WinCE.Brador.a.
Brador, says Kaspersky, is “a classic Trojan backdoor program” in that it allows uninhibited remote administration of the infected machine.
The Trojan must arrive as an e-mail attachment to the PDA, be uploaded from an attached computer, or downloaded from the Internet onto the PDA.
An infected PDA contains the svchost.exe file in the PDA’s Windows autorun folder, which allows the program to restart every time the PDA is activated. The program also transmits the PDA’s IP address to the program’s author, opens port 44299, and awaits instructions. The program is able to execute commands and upload or download files.
“We were certain that a viable malicious program for PDAs would appear soon after the first proof of concept viruses emerged for mobile phones and Windows Mobile,” says Eugene Kaspersky, head of antivirus research at Kaspersky Labs. “WinCE.Brador.a is a full-scale malicious program ready to go. Unlike proof-of-concept malware, Brador has a complete set of destructive functions typical for backdoors.”
Kaspersky believes Brador to be the work of Russian hackers, since it first detected the Trojan attached to an e-mail, written in Russian and from a Russian address, soliciting buyers for an application able to control Brador-infected PDAs.
Windows Mobile Gets Proof of Concept Virus
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.