Image flaw pierces PC security

Six vulnerabilities in an open-source image format could open the doors to intruders.

Stay on top of the latest tech news with our free IT News Digest e-newsletter, delivered each weekday. Automatically sign up today!

By Robert Lemos

Six vulnerabilities in an open-source image format could allow intruders to compromise computers running Linux and may allow attacks against Windows PCs as well as Macs running OS X.

The security issues appear in a library supporting the portable network graphics (PNG) format, used widely by programs such as the Mozilla and Opera browsers and various e-mail clients. The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute a malicious program when the application loads the image.

Among the programs that use libPNG and are likely to be affected by the flaws are the Mail application on Apple Computer's Mac OS X, the Opera and Internet Explorer browsers on Windows, and the Mozilla and Netscape browsers on Solaris, according to independent security researcher Chris Evans, who discovered the issues. Apple and Microsoft could not immediately be reached for comment. Evans did not test every platform to check which vulnerabilities work, he said.

The most critical vulnerability crashed two open-source browsers, Evans said. "A scarier possibility is targeted exploitation by e-mailing a nasty PNG to someone who uses a graphical e-mail client to decode" images, he added.

More IT news stories
Free corporate Linux set for test phase
Malicious program aims for Pocket PCs
Google IPO: No longer a sure thing?
Sony's PS3 to use Blu-ray Disc

Both Microsoft and Linux have previously had security issues stemming from the PNG format. Eighteen months ago, Microsoft in how Internet Explorer handled PNG images. More than two years ago, a , among other types of data, to crash programs running on the operating system.

A patched version of the PNG library, known as libPNG, can be downloaded from Linux operating-system sellers and .

Security information service Secunia gave the vulnerabilities its second-highest rating, highly critical, and warned computer users to watch out.

"The vulnerabilities can be exploited by tricking a computer user into visiting a malicious Web site or viewing an e-mail with an affected application linked to libpng," Secunia stated in .

The , the nation's official computer threat watchdog, released an advisory on the PNG issue on Tuesday and advised companies and individuals to update their systems.