Security

Photoshop file threat emerges


Just when you thought it was safe to do something online, an example emerges that shows there can be dangerous vulnerabilities in virtually any application. I'm discussing this Photoshop file threat not because I think it will become some massive security threat to a lot of users but simply as an example that ANYTHING connected with computers can turn around and bite you where it hurts.

I bet very few of you have ever given a thought to how Photoshop could be used to compromise your system. However, FrSIRT recently published information about a remotely exploitable PNG file handling code execution threat in Adobe Photoshop and Photoshop Elements. According to the report, a buffer overflow error that occurs when opening a malformed PNG image can lead to a DoS event or a complete system compromise.

I use Photoshop but never open anyone else's image files. What this report does for me is remind me that there can be threats anyplace -- and that I shouldn't become complacent just because I have solid antivirus software and a good firewall.

Are there applications or protocols that you never give a second thought to when it comes to security?

Some major apps, mostly Microsoft Office components and their files, are probably on everyone's security radar. We all know that there are a lot of hidden vulnerabilities in the files generated by these applications (mostly the macros Microsoft so thoughtfully included that make Office files so dangerous). And all of us who hope to keep our security jobs watch for new browser threats, even in the more secure browsers such as Firefox. 

Another type of file threat that shows up pretty often in vulnerability lists is tied to Adobe Acrobat, so I bet you keep an eye on new developments there as well. But do you pay attention to threats to operating systems, office apps, browsers, and perhaps Acrobat -- other than the big ones?

Just as UNIX and Macintosh operating systems will face a growing number of threats as Windows becomes more secure and other operating systems become more popular (and thus more attractive targets to hackers), so to will the more thoughtful attackers turn to applications that seldom get mentioned in security alerts.

Think about it for a minute: If you really wanted to compromise some corporate system, would you pick a malware attack vector when most big targets regularly update antivirus software? Or would you turn to some application that very few IT departments pay any attention to -- like Photoshop?

What about your security plan? Does it include a mechanism for monitoring such unusual attack vectors -- particularly newly discovered vulnerabilities that you'll need to warn users about and patch when one becomes available? Or do you simply watch for new browser and operating system threats and let it go at that?

Do you even know which applications and versions your users may have installed so you CAN set up a comprehensive threat monitoring system? I want to hear from you -- share your opinions.

Am I getting TOO paranoid? Or are you not being paranoid enough? After all, being paranoid enough is what we're being paid for, isn't it?

11 comments
tundraroamer
tundraroamer

Then John and a whole lot of others would be out of a job! If you drive a car and do so safely each and every time, it does not mean you will never be in an accident. Odds are that someone will hit you eventually. Same for software programs. Use the "safest" software you can while wearing latex body armor and you will still have some sort of issue. Your only safe choice is to never connect to the internet or upload anything after you install all software. It's like buying a car and putting it in your garage. Nice to have but not practical. Good gas mileage however. Protect the best you can and move on. Don't buy cruddy software from a company without deep pockets that can't fix anything that comes up. Yes, that limits your choices and may prevent smaller companies from really selling a better product. But it offers some stability in your choices. Granted, M$ has made a mess of it and hopefully their successor won't make the same mistakes, whoever they are. At least, not for a while anyway they won't. My point is there are risks to take in user networked computers. Mitigate the problems best you can; restrict as much as possible without strangling the business needs. And don't loose any sleep over it. Just wait for John to solve the next problem!

Tig2
Tig2

Just when you thought that you thought of everything, here's a new threat to keep you up at night. From a security standpoint, I don't think that we are ever paranoid enough. But this article gives me pause. What else out there is exploitable and how is it being exploited? Photoshop. Sheese! But now I wonder what else I am missing. Does a program have to be a retail platform to be vulnerable? Could my home-grown apps also be in danger? If so, to what extent? I know that stress testing an app for vulnerability hasn't been an element of QA thus far. I am getting the feeling that it may need to be. Good article. Send sleeping tablets. I can pretty much guarantee that I will be losing sleep on this.

Dr Dij
Dr Dij

I'm going into a rage. How can programs be written in this day and age when you can avoid buffers easily, that do this!!!??? @#!@#$(*&%@#$(%|+_!@#$%!!! Strangle, choke "you little ..." The sad state of software today. Oh well, I'm already back from a shooting rampage on Saturday. Guess I'll have to calm down. 777 pix at one show and 767 pix at another. Still, adobe is not the primary png handler for IE so I'm not sure and infection from this could ever happen unless you download the image first and open in photoshop?

Tech Locksmith
Tech Locksmith

Absolutely! Mr. Gates has made me a LOT of money over the years and I have never owned a single share of Mr. Softie stock! As I often point out, if computers worked, we wouldn't have to.

Tech Locksmith
Tech Locksmith

What with sleeping tablets now shown to cause sleep driving, perhaps they also cause SLEEP CODING!! Seriously though, I strongly suspect your home-grown code has vulnerabilities. Not that I know you or have any idea how good or bad a programmer you are. No, the problem with most code is in the libraries. No matter how careful you are, if you use anything except pure machine language you are probably calling ancient code from libraries and you don't even know how old it is! That's actually the cause of a lot of these threats, even a lot of Microsoft's security problems - not just their own legacy code, but the underlying libraries without which very little software would ever get developed. Try Scotch, at least you won't drive in your sleep! BTW Tigger - I raise and rescue mini donkeys so I would never poo-poo your ideas.

rkuhn040172
rkuhn040172

"Could my home-grown apps also be in danger?" Absolutely and possibly even a greater risk. Myself and my friends have been known to write a good amount of code and while we are ok programmers, that's about where our specialty stops. I can guarantee someone that there are no obvious threats given my networking background, but that's just the tip of the iceberg.

Why Me Worry?
Why Me Worry?

Not to say that our own domestic coders aren't capable of such screw ups, but more crappy code comes out of foreign outsourced coders than from our own domestic folks. I wouldn't be surprised if they do this intentionally to be spiteful or because those so called "coders" have a sinister hacker side to themselves.

PrinceGaz
PrinceGaz

No matter how well you include validation in your own code to ensure that no inputted data could possibly result in overwriting even a single byte beyond where it is permitted, you are always dependent on the underlying libraries being similarly robust (unless of course you program totally in assembler, and very few of us do that these days) and unfortunately some of the programmers who wrote those library functions were not as conscientious as us. The only real solution is to hope that the included functions are as thoroughly checked as our own code, and there is no way to guarantee that will happen when we rely on closed-source third-party compilers. Unfortunately, those closed-source compilers and interpreters are pretty much essential these days so there is not much we can do to ensure our software is genuinely secure once it goes live.

Locrian_Lyric
Locrian_Lyric

One of the best known mistakes resulting from doing it on the cheap. I've seen SEVERAL companies take it on the chin from the 'bargain' of outsourcing. Cookie-cutter code, vulnerabilitites, stolen data, applications sold to competitors.... It's not spite, but the simple fact that the outsourcers are not the best that the countries have to offer. India, for example has close ties with the UK. Good Indian programmers work DIRECTLY for companies and not in some IT sweatshop.

Tech Locksmith
Tech Locksmith

If I don't get sidetracked by some more immediate threat, next week I'll post something interesting about how some compilers actually defeat best security programming practices. That story should both shock and amaze but even more it may give you a feeling for how big a challenge the poor programmers face. Feel free to post guesses, but no extra points will be awarded....

Why Me Worry?
Why Me Worry?

My mother in law is a mainframe/Cobol programmer on the IBM OS 390 platform. Anyhow, the financial brokerage firm she is working for decided to outsource some of the coding to none other than our "friends" in India. Low and behold, my mother in law was starting to experience all sorts of issues compiling her code and even logging onto the system during critical business hours. When more and more domestic coders like her started experiencing these problems more frequently, an investigation was launched to see what was going on and it was discovered that those coders from India were using the mainframe to compile and run foreign code that had nothing to do with the brokerage itself. They were using so many processing threads to run this that they ended up locking everyone else out of the system. Anyhow, those Indian coders got the boot, but the brokerage was left with unknown financial and most likely intellectual property damages because God only knows what those crooks were up to. Moral of the story: Don't outsource mission critical and proprietary work to 3rd world crapholes with questionable labor and crooked work ethics.

Editor's Picks