Image flaw pierces PC security

TalkBack 11 of 50:: Next »; « Previous

Thread View
Flat View

Extremely Simple. . .: One word, buffer overflow. Anything whether it is a text file, database, executable, image, protocol request string to a port, etc. needs to be read into whatever program or OS function necessary to work with it.

If you do a really stupid job on the routine that does that necessary little piece of work, you are essentially trying to cram 10 lbs of poop into a 5 lb. bag and when it splits the seams, bad things happen.

It can merely crash the machine. In certain situations, it can be used to insert executable code which then runs on your system just like you clicked on an icon or ran a command on the console (Code Red, Nimda, Blaster were all good examples of this, and they weren't even files, just little bits of code sent to a port, in one case what was just supposed to be a 1 bit flag that the programmer forgot to sanitize and dump anything more than one bit).

Even if it is a problem with Metadata within the file, it still comes down to buffer overflow problems with the parsing routine that reads that metadata. We saw this with a MP3 Tags expoit that happened a while back.

Keep in mind that no matter what the ABM/NBM crowd says, yes they are one and the same (each wants to define black=white) if you read their posts, this stuff is all highly complex, designed by humans that are tired, distracted, or just plain lazy or stupid and stuff happens. All software is flawed, you just get to choose your poison and frustration type. The open source crowd has the excuse of limited funding and perhaps lack of expertise. The closed source crowd has the excuse of well, code reuse (someone else originally created the routine, no one checked), too much funding and not enough care.; Posted by: boomslang_z Posted on: 08/07/04 You are currently: a Guest | Members login | Terms of Use

Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

At least this is posted after the fact the exploit has a fix.. Monkey_MCSE | 08/05/04

And that helps how? No_Ax_to_Grind | 08/05/04

Consultants who find it, give the companies time.. Monkey_MCSE | 08/05/04

Run along Bitty.. FreeBSD | 08/06/04

not a good thing... ryusen | 08/05/04

rough guess seosamh_z | 08/05/04

someone please explain Squawkbox | 08/05/04

The scum of the earth would find a way... BitTwiddler | 08/06/04

to all ryusen | 08/06/04

Advanced code and compilers. pj-xmesh | 08/06/04

Extremely Simple. . . boomslang_z | 08/07/04

Seems the problem is easier to fix in Linux toomuchgreeatea@... | 08/05/04

Funny PA-ITGuy | 08/06/04

MS Bashed for DLL_Hell not DLL zen_dogen | 08/06/04

No argument from me PA-ITGuy | 08/06/04

"Have RPMs yet" FreeBSD | 08/06/04

Try Gentoo Yagotta B. Kidding | 08/06/04

Gentoo and Debian Linux User 147560 | 08/06/04

the problem here is... ryusen | 08/06/04

Yes theKid_z | 08/06/04

here lies the real problem. FreeBSD | 08/06/04

FOSS fixed, still waiting on Windows Seething Ganglia | 08/06/04

Fixed in WinXP SP3...in 2008 Xunil_Sierutuf | 08/06/04

Does the flaw even exist in Windows? PA-ITGuy | 08/06/04

Leave the comedy to Mike Cox.. Xunil_Sierutuf | 08/06/04

(NT)Waiting on Windows to do what? toadlife | 08/08/04

Does it affect Solaris, FreeBSD, OS/2 or such FilledOut | 08/06/04

Pretty good possibility... Linux User 147560 | 08/06/04

Not Solaris on U3. Outside T. Box | 08/06/04

Anything Constructive? BXLE | 08/06/04

Constructive - Boring, Obvious zen_dogen | 08/06/04

This has not been targeted Linux User 147560 | 08/06/04

thank you for saying that.. ryusen | 08/06/04

Finally, and exploit that we can't bash Microsoft on..! Xunil_Sierutuf | 08/06/04

Guess you missed it. startiger | 08/06/04

Woohooo! Take that M$hills! Xunil_Sierutuf | 08/06/04

I'd have to say no companies lost face in this one Monkey_MCSE | 08/06/04

Wow! that's the most level headed post I've read. startiger | 08/06/04

ummm you're not allowed to compliment people here.. Monkey_MCSE | 08/06/04

Nothing new bugmenot00 | 08/06/04

why would images V Sanders | 08/06/04

It's not the image that's weak george_ou | 08/06/04

No hidden functionality. . . boomslang_z | 08/07/04

Monoculture Yagotta B. Kidding | 08/06/04

Glad you mentioned........ pj-xmesh | 08/06/04

i don't have a clue what you just said... Monkey_MCSE | 08/06/04

Those Blasted........ pj-xmesh | 08/06/04

we prefer to cloud facts here on talkbacks... Monkey_MCSE | 08/06/04

CORRECTION: Make that Newcastles all around(NT) Monkey_MCSE | 08/06/04

Opera doesn't use libpng. Robert Carnegie | 08/09/04

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

IBM Smart Business Time Savings Test IBM If time is money - is your organization in need of a way to save both? ... Download Now
Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now
Trend Micro Email Encryption Client Free Download Trend Micro Trend Micro Email Encryption Client is a software plug-in for popular ... Download Now

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Meet Doc

Here to help you with your Document Management Needs
Check out Doc’s Blog on ZDNet
Help your company, help the earth I want to share with you the Environmental Defense Fund Paper Calculator, which allows you to gauge your organization's environmental impact.
Which is Greener: Paper or Digital? The Answer May Surprise You Anything we can do to reduce paper consumption is good. But what about the impact of digital waste?
Produced by
ZDNet and

Read the original story

Image flaw pierces PC security

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Meet Doc

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads